Abuse Device Administrator Access to Prevent Removal

A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.

ID: T1401
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Persistence
Platforms: Android
Version: 1.1
Created: 25 October 2017
Last Modified: 03 February 2019

Procedure Examples

Name Description

Mandrake can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.[1]


Marcher requests Android Device Administrator access.[2]


OBAD abuses device administrator access to make it more difficult for users to remove the application.[3]

XLoader for Android

XLoader for Android requests Android Device Administrator access.[4]


Mitigation Description
Application Vetting

It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. A static analysis approach can be used to identify ransomware apps including apps that abuse Device Administrator access.[5]

Caution with Device Administrator Access
Use Recent OS Version

Changes were made in Android 7 to help prevent use of this technique.[6]


The device user can view a list of apps with Device Administrator privilege in the device settings.