DET0598 Detection of Prevent Application Removal

Technique Detected: T1629.001 (Prevent Application Removal)

Analytics

Android

AN1644

Application vetting services may detect API calls to performGlobalAction(int). The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.

Log Sources

Mutable Elements