T1629.001 Prevent Application Removal
Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.
Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.
| Item | Value |
|---|---|
| ID | T1629.001 |
| Sub-techniques | T1629.001, T1629.002, T1629.003 |
| Tactics | TA0030 |
| Platforms | Android |
| Version | 1.1 |
| Created | 01 April 2022 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1067 | FluBot | FluBot can use Accessibility Services to make removal of the malicious app difficult.1 |
| S0485 | Mandrake | Mandrake can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.4 |
| S0286 | OBAD | OBAD abuses device administrator access to make it more difficult for users to remove the application.2 |
| S1062 | S.O.V.A. | S.O.V.A. can resist removal by going to the home screen during uninstall.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1012 | Enterprise Policy | An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features. |
| M1006 | Use Recent OS Version | Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. |
| M1011 | User Guidance | Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0042 | User Interface | System Settings |
References
-
Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023. ↩
-
Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016. ↩
-
ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. ↩
-
R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. ↩