T1401 Device Administrator Permissions
Adversaries may request device administrator permissions to perform malicious actions.
By abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device’s password for Device Lockout, factory resetting the device to Delete Device Data and any traces of the malware, disabling all of the device’s cameras, or make it more difficult to uninstall the app.1
Device administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as Input Injection, an app can programmatically grant itself administrator permissions without any user input.
| Item | Value |
|---|---|
| ID | T1401 |
| Sub-techniques | |
| Tactics | TA0029 |
| Platforms | Android |
| Version | 2.0 |
| Created | 25 October 2017 |
| Last Modified | 24 November 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0540 | Asacub | Asacub can request device administrator permissions.10 |
| S0522 | Exobot | Exobot can request device administrator permissions.8 |
| S0536 | GPlayed | GPlayed can request device administrator permissions.7 |
| S0485 | Mandrake | Mandrake can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.6 |
| S0317 | Marcher | Marcher requests Android Device Administrator access.3 |
| S0286 | OBAD | OBAD abuses device administrator access to make it more difficult for users to remove the application.5 |
| S0539 | Red Alert 2.0 | Red Alert 2.0 can request device administrator permissions.9 |
| S0318 | XLoader for Android | XLoader for Android requests Android Device Administrator access.4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1005 | Application Vetting | Application vetting can check for the string BIND_DEVICE_ADMIN in the application’s manifest. |
| M1006 | Use Recent OS Version | Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.2 |
| M1011 | User Guidance | Users should be told that it is very rare for an app to request device administrator permissions, and that any requests for the permissions should be scrutinized. |
References
-
Google. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020. ↩
-
Adrian Ludwig. (2016, May 19). What’s new in Android security (M and N Version). Retrieved December 9, 2016. ↩
-
Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018. ↩
-
Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018. ↩
-
Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016. ↩
-
R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. ↩
-
V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. ↩
-
Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. ↩
-
J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020. ↩
-
T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. ↩