Suppress Application Icon

A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.

This behavior has been seen in the BankBot/Spy Banker family of malware.[1][2][3]

ID: T1508
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
Contributors: Emily Ratliff, IBM
Version: 1.1
Created: 11 July 2019
Last Modified: 14 November 2019

Procedure Examples

ID Name Description
S0440 Agent Smith

Agent Smith can hide its icon from the application launcher.[4]

S0525 Android/AdDisplay.Ashas

Android/AdDisplay.Ashas can hide its icon and create a shortcut based on the C2 server response.[5]

S0655 BusyGasper

BusyGasper can hide its icon.[6]

S0480 Cerberus

Cerberus hides its icon from the application drawer after being launched for the first time.[7]

S0505 Desert Scorpion

Desert Scorpion can hide its icon.[8]

S0550 DoubleAgent

DoubleAgent has hidden its app icon.[9]

S0509 FakeSpy

FakeSpy can hide its icon if it detects that it is being run on an emulator.[10]

S0408 FlexiSpy

FlexiSpy is capable of hiding SuperSU's icon if it is installed and visible.[11] FlexiSpy can also hide its own icon to make detection and the uninstallation process more difficult.[12]

S0423 Ginp

Ginp hides its icon after installation.[13]

S0406 Gustuff

Gustuff hides its icon after installation.[14]

S0485 Mandrake

Mandrake can hide its icon on older Android versions.[15]

S0411 Rotexy

Rotexy hides its icon after first launch.[16]

S0419 SimBad

SimBad hides its icon from the application launcher.[17]

S0558 Tiktok Pro

Tiktok Pro can hide its icon after launch.[18]

S0302 Twitoor

Twitoor can hide its presence on the system.[19]

S0418 ViceLeaker

ViceLeaker includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.[20]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings.

References