Threat Category: Malicious or privacy-invasive application
ID: APP-12
Threat Description: Persistent information that can be used to identify or characterize a specific mobile device in one or more contexts, such as IMEI, IMSI, MAC address, phone number, mobile OS, or installed apps, may be collected by a malicious or privacy-invasive app to facilitate future attacks. These values, particularly in combination, greatly increase potential for geo-physical or behavioral tracking, device fingerprinting, and impersonation attacks against the device or its user.
Threat Origin
The Google Android Security Team’s Classifications for Potentially Harmful Applications 1
Exploit Examples
CVE Examples
Not Applicable
Possible Countermeasures
Deploy MAM or MDM solutions with policies that prohibit the sideloading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Perform application vetting to identify inappropriate behaviors by apps including permission requests made by the apps
Use application threat intelligence data about potential data collection risks associated with apps installed on devices
Mobile Device UserUse Android Verify Apps feature to identify apps that may abuse permissions to perform data collection.
Consider the use of devices that support Android 11 or higher, in which applications have limited visibility of what other apps are on the device.
References
The Google Android Security Team’s Classifications for Potentially Harmful Applications, Apr. 2016; https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf [accessed 8/25/2016] ↩
W. Zhou et al., “Slembunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps”, blog, 17 Dec. 2015; www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html [accessed 8/25/2016] ↩
“An investigation of Chrysaor Malware on Android”, blog, 3 Apr. 2017; https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html [accessed 4/5/2017] ↩