T1629.003 Disable or Modify Tools
Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.
| Item | Value |
|---|---|
| ID | T1629.003 |
| Sub-techniques | T1629.001, T1629.002, T1629.003 |
| Tactics | TA0030 |
| Platforms | Android |
| Version | 1.1 |
| Created | 01 April 2022 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1061 | AbstractEmu | AbstractEmu can disable Play Protect.5 |
| S0422 | Anubis | Anubis can modify administrator settings and disable Play Protect.6 |
| S0480 | Cerberus | Cerberus disables Google Play Protect to prevent its discovery and deletion in the future.1 |
| S1054 | Drinik | Drinik can use Accessibility Services to disable Google Play Protect.2 |
| S0420 | Dvmap | Dvmap can turn off VerifyApps, and can grant Device Administrator permissions via commands only, rather than using the UI.4 |
| S1067 | FluBot | FluBot can disable Google Play Protect to prevent detection.3 |
| S0485 | Mandrake | Mandrake can disable Play Protect.7 |
| S0494 | Zen | Zen can modify the SELinux enforcement mode.8 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1010 | Deploy Compromised Device Detection Method | Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action. |
| M1001 | Security Updates | Security updates frequently contain patches to vulnerabilities that can be exploited for root access. |
| M1004 | System Partition Integrity | System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files. |
| M1011 | User Guidance | Users should be taught the dangers of rooting or jailbreaking their device. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0042 | User Interface | System Settings |
References
-
Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. ↩
-
Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023. ↩
-
Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023. ↩
-
R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019. ↩
-
P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. ↩
-
M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. ↩
-
R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. ↩
-
Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020. ↩