Abuse Device Administrator Access to Prevent Removal

A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.

ID: T1401
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Persistence
Platforms: Android
MTC ID: APP-22
Version: 1.1
Created: 25 October 2017
Last Modified: 03 February 2019

Procedure Examples

Name Description
Marcher

Marcher requests Android Device Administrator access.[3]

OBAD

OBAD abuses device administrator access to make it more difficult for users to remove the application.[5]

XLoader

XLoader requests Android Device Administrator access.[4]

Mitigations

Mitigation Description
Application Vetting

It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. A static analysis approach can be used to identify ransomware apps including apps that abuse Device Administrator access.[2]

Caution with Device Administrator Access
Use Recent OS Version

Changes were made in Android 7 to help prevent use of this technique.[1]

Detection

The device user can view a list of apps with Device Administrator privilege in the device settings.

References