Skip to content

DET0651 Detection of Indicator Removal on Host

Item Value
ID DET0651
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1630 (Indicator Removal on Host)

Analytics

iOS

AN1733

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity. The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings.

Log Sources
Data Component Name Channel
Permissions Requests (DC0114) Application Vetting None
System Settings (DC0118) User Interface None
Mutable Elements
Field Description

Android

AN1734

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity. The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings.

Log Sources
Data Component Name Channel
Permissions Requests (DC0114) Application Vetting None
System Settings (DC0118) User Interface None
Mutable Elements
Field Description