Skip to content

T1629.003 Disable or Modify Tools

Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.

Item Value
ID T1629.003
Sub-techniques T1629.001, T1629.002, T1629.003
Tactics TA0030
Platforms Android
Version 1.1
Created 01 April 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can disable Play Protect.5
S0422 Anubis Anubis can modify administrator settings and disable Play Protect.6
S0480 Cerberus Cerberus disables Google Play Protect to prevent its discovery and deletion in the future.1
S1054 Drinik Drinik can use Accessibility Services to disable Google Play Protect.2
S0420 Dvmap Dvmap can turn off VerifyApps, and can grant Device Administrator permissions via commands only, rather than using the UI.4
S1067 FluBot FluBot can disable Google Play Protect to prevent detection.3
S0485 Mandrake Mandrake can disable Play Protect.7
S0494 Zen Zen can modify the SELinux enforcement mode.8


ID Mitigation Description
M1010 Deploy Compromised Device Detection Method Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.
M1001 Security Updates Security updates frequently contain patches to vulnerabilities that can be exploited for root access.
M1004 System Partition Integrity System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.
M1011 User Guidance Users should be taught the dangers of rooting or jailbreaking their device.


ID Data Source Data Component
DS0042 User Interface System Settings