Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0291: PJApps

PJApps is an Android malware family. [1]

MobileS0291MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

PJApps matters because it is identified by ATT&CK as an Android malware family with behaviors tied to mobile discovery, location tracking, and generating outbound traffic from a victim device. For business leaders, the decision value is not a specific campaign claim; it is a reminder that unmanaged or poorly monitored mobile devices can become sources of sensitive context, physical-location exposure, and unwanted network/SMS/web activity.

Executive priority

Prioritize validation of mobile security controls where Android devices access enterprise apps, data, or networks. Leaders should ask whether mobile device posture, application vetting, permission governance, and incident response evidence are strong enough to show auditors and executives what happened if a spoofed or malicious app is found. This is especially relevant where device location, mobile billing, or employee safety could create business, privacy, or operational risk.

Technical view

ATT&CK provides no official detection text for PJApps, so SOC and IR teams should validate coverage through the related behaviors: System Network Configuration Discovery (T1422), Location Tracking (T1430), and Generate Traffic from Victim (T1643). For Android-focused environments, review whether mobile telemetry can expose suspicious app permissions, location access, network configuration access, outbound web activity, and SMS-related activity where available. Detection should be behavior-led rather than family-name-led because the supplied ATT&CK object is sparse.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory and compliance state
  • Installed mobile application inventory, including app source and package metadata where available
  • Android application permission declarations and permission use, especially location and SMS-related permissions
  • Mobile network, DNS, proxy, or secure web gateway records for outbound traffic from enrolled devices
  • Carrier, SMS, or mobile billing records where legally and operationally available

Detection direction

  • Confirm whether mobile monitoring distinguishes approved enterprise apps from spoofed or unexpected applications, consistent with the external reference theme of spoofed enterprise apps.
  • Tune for combinations of risk signals rather than single permissions: unexpected app plus location access, network discovery indicators, or unusual outbound traffic is more meaningful than permission presence alone.
  • Validate visibility gaps for personally owned devices, unenrolled devices, devices outside corporate network paths, and mobile traffic that bypasses enterprise proxies.
  • Account for false positives from legitimate enterprise apps that require location, network state, or messaging capabilities; detections should compare against approved app behavior and business justification.
  • Because ATT&CK provides no official detection guidance for this malware object, test detections against the related techniques and local mobile telemetry rather than assuming named-malware coverage.

Mitigation priorities

  • Maintain an approved mobile application inventory and enforce app source and installation policies where enterprise control is permitted.
  • Review mobile app permissions for enterprise-approved Android apps, especially location and SMS-related access, and require business justification for sensitive permissions.
  • Use mobile device management or equivalent controls to support device posture, application compliance, and response actions for devices accessing enterprise resources.
  • Prepare mobile incident response procedures for suspicious or spoofed apps, including evidence preservation, user notification, containment, and access review.
  • For compliance readiness, retain evidence of mobile application governance, device enrollment scope, permission review, and response decisions.
Analyst notes and limits

The supplied ATT&CK object identifies PJApps only as an Android malware family and provides one external reference plus three technique relationships. The strongest defensive use is to map the malware family to mobile control validation: app vetting, permission governance, mobile telemetry, and response readiness.

Platforms and tactics are not specified on the PJApps object, and official detection guidance is not provided. The related techniques include Android and iOS generally, but PJApps itself is described as Android malware; conclusions should be validated against the organization’s actual mobile estate and telemetry.

Official MITRE ATT&CK definition

PJApps

PJApps is an Android malware family. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

3 rows
Domain ID Name Relationship / procedure
Mobile T1430 Location Tracking

PJApps has the capability to collect and leak the victim's location.CitationLookout-EnterpriseApps
Mobile T1643 Generate Traffic from Victim

PJApps has the capability to send messages to premium SMS messages.CitationLookout-EnterpriseApps
Mobile T1422 System Network Configuration Discovery

PJApps has the capability to collect and leak the victim's phone number, mobile device unique identifier (IMEI).CitationLookout-EnterpriseApps
Relationship explorer

All related ATT&CK context

uses · Technique T1430: Location Tracking Mobile uses · Technique T1643: Generate Traffic from Victim Mobile uses · Technique T1422: System Network Configuration Discovery Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bb589b9f7022750d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bb589b9f7022…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lookout-EnterpriseApps

    Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.

    Open source URL
  2. [2]
    PJApps

    (Citation: Lookout-EnterpriseApps)

  3. [3]
    mitre-attack S0291
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use