T1655.001: Match Legitimate Name or Location
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`).
Adversaries may also use the same icon of the file or application they are trying to mimic.
Analyst context for executives and security teams
This mobile technique matters because malicious apps or files can look familiar enough for users and some review processes to trust them: matching a legitimate app name, icon, package name, or location can hide risk in plain sight on Android and iOS devices. For leaders, the decision issue is not just whether mobile security tooling exists, but whether the organization can distinguish a trusted mobile app from a lookalike when names and icons are intentionally misleading.
Executive priority
Prioritize this where mobile devices have access to email, identity workflows, banking/financial apps, sensitive communications, or operational systems. The supplied ATT&CK relationships show this behavior across multiple Android malware families, banking trojans, spyware, RATs, and campaigns, making it relevant to mobile device governance, user guidance, incident triage, and audit evidence around approved applications. Executives should ask whether mobile app allowlisting, MDM inventory, user training, and incident response playbooks rely too heavily on display names or icons instead of stronger app identity evidence.
Technical view
ATT&CK lists this as a mobile sub-technique of Masquerading for Android and iOS. The core validation task is to compare user-visible app attributes against stronger identifiers: package name, signing certificate, install source, app hash, app permissions, and expected file or resource location. MITRE does not provide official detection text for this object, but a related detection strategy, DET0609, is linked. SOC and IR teams should test whether current mobile telemetry can expose mismatches such as trusted-looking names/icons paired with unexpected package names, suspicious install sources, or app identities not approved for the environment.
Likely telemetry
- Mobile device management or enterprise mobility inventory of installed applications
- Application package names, display names, icons, versions, and install sources
- Mobile app signing certificate or developer identity metadata where available
- Application hashes or known-good app catalog records
- File/resource path or location metadata on managed mobile devices where collected
Detection direction
- Validate that detections do not depend only on app display name or icon, since this technique specifically abuses those attributes.
- Compare installed apps against an approved mobile app catalog using package name, signing identity, version, and install source rather than user-facing names alone.
- Tune for false positives from legitimate rebrands, regional app variants, beta builds, or enterprise-signed internal apps by maintaining an approved exception process.
- Use relationship context to inform test cases: ATT&CK links this behavior to multiple Android malware families and mobile campaigns, so Android coverage should be explicitly validated even though the technique is also listed for iOS.
- Review DET0609 if available in the local ATT&CK/detection content repository, but treat coverage as unproven until validated against local telemetry.
Mitigation priorities
- Start with M1011 User Guidance: train users that familiar names and icons are not proof of legitimacy, especially for apps requested through messages, websites, or nonstandard install paths.
- Define and communicate approved mobile app sources and escalation paths for suspicious or duplicate-looking apps.
- Use mobile governance controls to maintain an approved app inventory and remove or investigate lookalike applications that cannot be tied to expected package/signing identity.
- Include masquerading checks in mobile incident response procedures so responders verify app identity beyond what the user sees on screen.
- For compliance evidence, retain records showing approved app lists, user guidance, and review actions for suspicious mobile apps.
Analyst notes and limits
The most decision-useful point is identity assurance for mobile apps: names, icons, and locations are weak trust signals. The relationship set is broad and includes a campaign, groups, and many software entries, mostly Android-related, which supports prioritizing mobile app inventory and validation. However, the ATT&CK object does not specify tactics and does not include official detection logic.
This take uses only the supplied ATT&CK fields and relationships. It does not assert current exploitation, customer exposure, guaranteed detection, or specific vendor capability. Local platform mix, MDM/EMM telemetry, app installation policy, and mobile logging depth are required to determine actual coverage.
Match Legitimate Name or Location
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`).
Adversaries may also use the same icon of the file or application they are trying to mimic.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1655 | Masquerading | This object subtechnique of Masquerading. |
Groups, software, and campaigns
G0097: Bouncing Golf
Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.[1]
G1019: MoustachedBouncer
MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.[1]
G1028: APT-C-23
S0485: Mandrake
Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.
Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]
S0314: X-Agent for Android
X-Agent for Android is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. [1] Is it tracked separately from the CHOPSTICK.
S0506: ViperRAT
S1214: Android/SpyAgent
Android/SpyAgent is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.[1] Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.[1]
S1231: GodFather
GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. [1][2]
S1077: Hornbill
S0478: EventBot
EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]
S0320: DroidJack
S1083: Chameleon
Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]
S0529: CarbonSteal
CarbonSteal is one of a family of four surveillanceware tools that share a common C2 infrastructure. CarbonSteal primarily deals with audio surveillance. [1]
S0555: CHEMISTGAMES
CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.[1]
S0480: Cerberus
C0033: C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3eb059421361… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NIST Mobile Threat Catalogue APP-14Open source URL
-
[2]
NIST Mobile Threat Catalogue APP-31Open source URL
-
[3]
mitre-attack T1655.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.