T1626.001 Device Administrator Permissions
Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for Endpoint Denial of Service, factory resetting the device for File Deletion and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.
Device administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as Input Injection, an app can programmatically grant itself administrator permissions without any user input.
| Item | Value |
|---|---|
| ID | T1626.001 |
| Sub-techniques | T1626.001 |
| Tactics | TA0029 |
| Platforms | Android |
| Version | 1.1 |
| Created | 01 April 2022 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1061 | AbstractEmu | AbstractEmu can modify system settings to give itself device administrator privileges.6 |
| S0540 | Asacub | Asacub can request device administrator permissions.4 |
| S0522 | Exobot | Exobot can request device administrator permissions.7 |
| S0536 | GPlayed | GPlayed can request device administrator permissions.8 |
| S0317 | Marcher | Marcher requests Android Device Administrator access.2 |
| S0539 | Red Alert 2.0 | Red Alert 2.0 can request device administrator permissions.3 |
| S0318 | XLoader for Android | XLoader for Android requests Android Device Administrator access.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1006 | Use Recent OS Version | Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.1 |
| M1011 | User Guidance | Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | Permissions Requests |
| DS0042 | User Interface | Permissions Request |
References
-
Adrian Ludwig. (2016, May 19). What’s new in Android security (M and N Version). Retrieved December 9, 2016. ↩
-
Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018. ↩
-
J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020. ↩
-
T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. ↩
-
Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018. ↩
-
P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. ↩
-
Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. ↩
-
V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. ↩