Skip to content

T1629 Impair Defenses

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.

Item Value
ID T1629
Sub-techniques T1629.001, T1629.002, T1629.003
Tactics TA0030
Platforms Android
Version 1.1
Created 01 April 2022
Last Modified 20 March 2023


ID Mitigation Description
M1010 Deploy Compromised Device Detection Method Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.
M1012 Enterprise Policy An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features.
M1001 Security Updates Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses.
M1004 System Partition Integrity System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.
M1011 User Guidance Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses.


ID Data Source Data Component
DS0041 Application Vetting API Calls
DS0009 Process Process Termination