Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1475: Deliver Malicious App via Authorized App Store

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.

App stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:

* Download New Code at Runtime * Obfuscated Files or Information

Adversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. [1] [2] [3] [4]

Adversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. [2]

Adversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. [5] [6] (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)

MobileT1475TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Historical object

This ATT&CK object is revoked or deprecated in the current MITRE ATT&CK release.

It remains available for historical context and inbound links. Use current ATT&CK relationships and replacement guidance before basing detection or reporting work on this page.

Glexia's Take

Analyst summary pending validation

Glexia publishes ATT&CK takes only after source-hash and schema validation. Until then, use the official MITRE definition below and the defensive relationship context on this page.

Official MITRE ATT&CK definition

Deliver Malicious App via Authorized App Store

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.

App stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:

* Download New Code at Runtime * Obfuscated Files or Information

Adversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. [1] [2] [3] [4]

Adversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. [2]

Adversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. [5] [6] (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

4 rows
Domain ID Name Relationship / procedure
Mobile Fake Developer Accounts Fake Developer Accounts revoked by this object.
Mobile Stolen Developer Credentials or Signing Keys Stolen Developer Credentials or Signing Keys revoked by this object.
Mobile Remotely Install Application Remotely Install Application revoked by this object.
Mobile Detect App Analysis Environment Detect App Analysis Environment revoked by this object.
Relationship explorer

All related ATT&CK context

revoked by · Technique Fake Developer Accounts Mobile revoked by · Technique Stolen Developer Credentials or Signing Keys Mobile revoked by · Technique Remotely Install Application Mobile revoked by · Technique Detect App Analysis Environment Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
8b80bc94b5b64fd0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle Deprecated 8b80bc94b5b6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Petsas

    Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016.

    Open source URL
  2. [2]
    Oberheide-Bouncer

    Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.

    Open source URL
  3. [3]
    Percoco-Bouncer

    Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016.

    Open source URL
  4. [4]
    Wang

    Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.

    Open source URL
  5. [5]
    Oberheide-RemoteInstall

    Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016.

    Open source URL
  6. [6]
    Konoth

    Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016.

    Open source URL
  7. [7]
    NIST Mobile Threat Catalogue APP-20
    Open source URL
  8. [8]
    NIST Mobile Threat Catalogue APP-21
    Open source URL
  9. [9]
    NIST Mobile Threat Catalogue ECO-16
    Open source URL
  10. [10]
    NIST Mobile Threat Catalogue ECO-17
    Open source URL
  11. [11]
    NIST Mobile Threat Catalogue ECO-22
    Open source URL
  12. [12]
    NIST Mobile Threat Catalogue ECO-4
    Open source URL
  13. [13]
    mitre-attack T1475
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use