{ "id": "5c6750a4-2a06-4ac0-b67e-b847eab8d639", "created_at": "2026-04-06T00:18:07.261775Z", "updated_at": "2026-04-10T13:13:03.161055Z", "deleted_at": null, "sha1_hash": "d732961f3276b296406689974731abdf1ced2154", "title": "APP-27 · Mobile Threat Catalogue", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42035, "plain_text": "APP-27 · Mobile Threat Catalogue\r\nArchived: 2026-04-05 19:42:08 UTC\r\nMobile Threat Catalogue\r\nPersistance via Writing to System Partition\r\nContribute\r\nThreat Category: Malicious or privacy-invasive application\r\nID: APP-27\r\nThreat Description: Malicious code that has achieved privilege escalation to the kernel or root user may achieve\r\npersistence by modifying memory locations reserved for use by the bootloader, mobile OS, or kernel to force the\r\nexecution of malicious code following a device reboot or integrated factory reset.\r\nThreat Origin\r\nNot Applicable, See Exploit or CVE Examples\r\nExploit Examples\r\nBrain Test re-emerges: 13 apps found in Google Play 1\r\nCVE Examples\r\nCVE-2016-10277\r\nPossible Countermeasures\r\nEnterprise\r\nDeploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security\r\nchecks on the app.\r\nDeploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app\r\nstores.\r\nUse application threat intelligence data about apps that may achieve malicious persistence\r\nUse app-vetting tools or services to identify apps that exploit the underlying OS to achieve malicious persistence.\r\nDeploy MDM solutions that require successful boot attestation prior to granting access to enterprise resources.\r\nMobile Device User\r\nhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html\r\nPage 1 of 2\n\nUse Android Verify Apps feature to identify potentially harmful apps.\r\nMobile App Developer\r\nTo avoid executing apps that process sensitve information while low-level malware is present on the device,\r\nperform device integrity checking within enterprise applications, such as use of Android SafetyNet, Samsung\r\nKnox hardware-backed remote attestation, or other applicable remote attestation technologies device integrity\r\nattestation API\r\nReferences\r\nSource: https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html\r\nhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html" ], "report_names": [ "APP-27.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434687, "ts_updated_at": 1775826783, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d732961f3276b296406689974731abdf1ced2154.pdf", "text": "https://archive.orkl.eu/d732961f3276b296406689974731abdf1ced2154.txt", "img": "https://archive.orkl.eu/d732961f3276b296406689974731abdf1ced2154.jpg" } }