Skip to content

T1630 Indicator Removal on Host

Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.

Item Value
ID T1630
Sub-techniques T1630.001, T1630.002, T1630.003
Tactics TA0030
Platforms Android, iOS
Version 1.1
Created 30 March 2022
Last Modified 20 March 2023

Mitigations

ID Mitigation Description
M1002 Attestation Attestation can detect unauthorized modifications to devices. Mobile security software can then use this information and take appropriate mitigation action.
M1001 Security Updates Security updates typically provide patches for vulnerabilities that could be abused by malicious applications.
M1011 User Guidance Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.

Detection

ID Data Source Data Component
DS0041 Application Vetting Permissions Requests
DS0042 User Interface System Settings