Abuse Device Administrator Access to Prevent Removal

A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.

ID: T1401

Tactic Type:  Post-Adversary Device Access

Tactic: Persistence

Platform:  Android

MTC ID:  APP-22

Version: 1.1

Mitigations

MitigationDescription
Application VettingIt is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. Maggi and Zanero describe a static analysis approach that can be used to identify ransomware apps including apps that abuse Device Administrator access.[4]
Caution with Device Administrator Access
Use Recent OS VersionChanges were made in Android 7 to help prevent use of this technique.[5]

Examples

NameDescription
Marcher

Marcher requests Android Device Administrator access.[1]

OBAD

OBAD abuses device administrator access to make it more difficult for users to remove the application.[2]

XLoader

XLoader requests Android Device Administrator access.[3]

Detection

The device user can view a list of apps with Device Administrator privilege in the device settings.

References