Skip to content

T1630.001 Uninstall Malicious Application

Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:

  • Abusing device owner permissions to perform silent uninstallation using device owner API calls.
  • Abusing root permissions to delete files from the filesystem.
  • Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.
Item Value
ID T1630.001
Sub-techniques T1630.001, T1630.002, T1630.003
Tactics TA0030
Platforms Android
Version 1.1
Created 30 March 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0480 Cerberus Cerberus can uninstall itself from a device on command.3
S1062 S.O.V.A. S.O.V.A. can uninstall itself.4
S1055 SharkBot SharkBot has C2 commands that can uninstall the app from the infected device.2
S0427 TrickMo TrickMo can uninstall itself from a device on command by abusing the accessibility service.1


ID Mitigation Description
M1002 Attestation Attestation can detect rooted devices. Mobile security software can then use this information and take appropriate mitigation action. Attestation can detect rooted devices.
M1001 Security Updates Security updates typically provide patches for vulnerabilities that enable device rooting.
M1011 User Guidance Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.


ID Data Source Data Component
DS0041 Application Vetting API Calls
DS0042 User Interface System Settings