{ "id": "02465035-52a4-4641-84f0-77f5d58b586f", "created_at": "2026-04-06T01:30:12.364528Z", "updated_at": "2026-04-10T03:20:22.408421Z", "deleted_at": null, "sha1_hash": "edefe728128b93934c5ae15a9a070e8384cd36da", "title": "ECO-16 · Mobile Threat Catalogue", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47658, "plain_text": "ECO-16 · Mobile Threat Catalogue\r\nArchived: 2026-04-06 00:40:47 UTC\r\nMobile Threat Catalogue\r\nModify or Replace Deployed App\r\nContribute\r\nThreat Category: Mobile Application Store\r\nID: ECO-16\r\nThreat Description: App developer’s credentials typically have permission to push app updates to the respective\r\napp store. If these credentials are somehow obtained by an attacker, they could replace the genuine application\r\nwith a version embedded with malware.\r\nThreat Origin\r\nKeep out hijackers: Secure your app store dev account 1\r\nExploit Examples\r\nMajor security hole allows Apple passwords to be reset with only email address, date of birth (update) 2\r\nCVE Examples\r\nNot Applicable\r\nPossible Countermeasures\r\nEnterprise\r\nUse app-vetting tools or services to determine that apps appear free of malicious behaviors or vulnerabilities prior\r\nto authorizing their use.\r\nTo decrease the time to detection for malicious apps, use app threat intelligence services to detect malicious apps\r\ninstalled on devices\r\nEducate end users to scrutinize the permissions requested by apps, particularly if an updated version requests\r\nsignificantly different permissions than previous ones.\r\nMobile App Developer\r\nhttps://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html\r\nPage 1 of 2\n\nTo reduce the potential for an attacker to impersonate you to official apps stores, follow best practices to protect\r\nyour developer accounts, such as using multi-factor authentication. 3 \r\n4\r\nTo reduce the potential for an attacker to craft malicious apps that validate against your developer account, follow\r\nbest practices to protect cryptographic signing material for applications 5\r\nMobile Device User\r\nTo decrease the time to detection for malicious apps, use Android Verify Apps feature.\r\nReferences\r\n1. G. Gruman, “Keep out hijackers: Secure your app store dev account,” InfoWorld, 5 Dec. 2014;\r\nwww.infoworld.com/article/2854963/mobile-development/how-to-keep-your-app-store-dev-account-from-being-hijacked.html ↩\r\n2. C. Welch, “Major security hole allows Apple passwords to be reset with only email address, date of birth\r\n(update),” The Verge, 22 Mar. 2013; www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth ↩\r\n3. Protect your developer account, Google, 2016, https://support.google.com/googleplay/android-developer/answer/2543765?hl=en [accessed 8/25/16] ↩\r\n4. Security and your Apple ID, Apple, 2016, https://support.apple.com/en-us/HT201303 [accessed 8/25/16] ↩\r\n5. Secure Your Private Key, in User Guide, https://developer.android.com/studio/publish/app-signing.html#secure-key [accessed 8/25/16] ↩\r\nSource: https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html\r\nhttps://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html" ], "report_names": [ "ECO-16.html" ], "threat_actors": [], "ts_created_at": 1775439012, "ts_updated_at": 1775791222, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/edefe728128b93934c5ae15a9a070e8384cd36da.pdf", "text": "https://archive.orkl.eu/edefe728128b93934c5ae15a9a070e8384cd36da.txt", "img": "https://archive.orkl.eu/edefe728128b93934c5ae15a9a070e8384cd36da.jpg" } }