T1630.001 Uninstall Malicious Application
Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:
- Abusing device owner permissions to perform silent uninstallation using device owner API calls.
- Abusing root permissions to delete files from the filesystem.
- Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.
| Item | Value |
|---|---|
| ID | T1630.001 |
| Sub-techniques | T1630.001, T1630.002, T1630.003 |
| Tactics | TA0030 |
| Platforms | Android |
| Version | 1.1 |
| Created | 30 March 2022 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0480 | Cerberus | Cerberus can uninstall itself from a device on command.3 |
| S1062 | S.O.V.A. | S.O.V.A. can uninstall itself.4 |
| S1055 | SharkBot | SharkBot has C2 commands that can uninstall the app from the infected device.2 |
| S0427 | TrickMo | TrickMo can uninstall itself from a device on command by abusing the accessibility service.1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation | Attestation can detect rooted devices. Mobile security software can then use this information and take appropriate mitigation action. Attestation can detect rooted devices. |
| M1001 | Security Updates | Security updates typically provide patches for vulnerabilities that enable device rooting. |
| M1011 | User Guidance | Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | API Calls |
| DS0042 | User Interface | System Settings |
References
-
P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020. ↩
-
RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. ↩
-
Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. ↩
-
ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. ↩