TECHNIQUES
- Home
- Techniques
- Mobile
- Abuse Device Administrator Access to Prevent Removal
Abuse Device Administrator Access to Prevent Removal
A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.
ID: T1401
Sub-techniques:
No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic:
Persistence
Platforms: Android
MTC ID:
APP-22
Version: 1.1
Created: 25 October 2017
Last Modified: 03 February 2019
Procedure Examples
Name | Description |
---|---|
Marcher | |
OBAD |
OBAD abuses device administrator access to make it more difficult for users to remove the application.[5] |
XLoader |
Mitigations
Mitigation | Description |
---|---|
Application Vetting |
It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. A static analysis approach can be used to identify ransomware apps including apps that abuse Device Administrator access.[2] |
Caution with Device Administrator Access | |
Use Recent OS Version |
Changes were made in Android 7 to help prevent use of this technique.[1] |
Detection
The device user can view a list of apps with Device Administrator privilege in the device settings.
References
- Adrian Ludwig. (2016, May 19). What's new in Android security (M and N Version). Retrieved December 9, 2016.
- Federico Maggi and Stefano Zanero. (2016). Pocket-Sized Badness - Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. Retrieved December 21, 2016.
- Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.
×