Applications

Contribute

Application Vulnerabilities: This subcategory contains threats relating to discrete software vulnerabilities residing within mobile applications running atop the mobile operating system. Note: Some vulnerabilities may be specific to a particular mobile OS, while others may be generally applicable.

Malicious or privacy-invasive application: This subcategory identifies mobile malware based threats, based in part off of Google's mobile classification taxonomy. There are no specific software vulnerabilities within this subcategory, and accordingly no CVEs are cited. Additional malware categories are included within subcategory.

Threat List

Application Vulnerabilities

• APP-0: Eavesdropping on Unencrypted App Traffic
• APP-1: Man-in-the-middle Attack on Server Authentication
• APP-2: Sensitive Information Exposure
• APP-3: Sensitive Information in System Logs
• APP-4: Need to Use a Known Vulnerable App or Device
• APP-5: Malicious Code Downloaded via Malicious URL
• APP-6: Vulnerable Third-Party Library
• APP-7: Data or Functionality Exposed to Untrusted Apps
• APP-8: WebView App Vulnerable to Browser-Based Attacks
• APP-9: Compromised Backend Server
• APP-10: Poorly Implemented Cryptography
• APP-11: Untrusted Input to Sensitive Operations

Malicious or privacy-invasive applications

• APP-12: Malicious Device Information Gathering
• APP-13: Sensitive Information Discovery via OS APIs
• APP-14: Masquerade as Legitimate Application
• APP-15: Distribution of malicious apps by a 3rd party store (DEPRECATED)
• APP-16: Premium SMS Fraud
• APP-17: Intercepting SMS Messages
• APP-18: Premium Service Fraud (DEPRECATED)
• APP-19: Audio or Video Surveillance
• APP-20: Loading Malicious Code at Runtime
• APP-21: App Vetting Misses Malicious App
• APP-22: Avoiding Uninstallation via Permissions Abuse
• APP-23: Ransoming Assets via Device Management Abuse
• APP-24: Covertly Track Device Location
• APP-25: Abusing Existing Root Access
• APP-26: Privilage Escalation via OS Vulnerability
• APP-27: Persistance via Writing to System Partition
• APP-28: Encrypting and Ransoming Files
• APP-29: Command-and-control Traffic Evades Analysis
• APP-30: Exfiltration Evades Analysis
• APP-31: Masquerading as a Legitimate Application
• APP-32: Exploiting Access to Enterprise Resources
• APP-33: Bypassing OS Private API Controls
• APP-34: App Provides Remote Control Over Device
• APP-35: Retrieving Sensitive Information from Clipboard
• APP-36: Pre-Installed Apps Invading Privacy
• APP-37: Unknowingly Performing Hidden Actions in Other Apps
• APP-38: Abusing Device Resources for Computations
• APP-39: Using Device for DDoS
• APP-40: Capturing Raw Screen Buffer
• APP-41: Recording Audio by Placing or Answering Phone Calls
• APP-43: Malware Uninstalls Itself