The sub-techniques beta is now live! Read the release blog post for more info.

Suppress Application Icon

A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.

This behavior has been seen in the BankBot/Spy Banker and SimBad families of malware.[1][2][3][4]

ID: T1508
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platform: Android
Contributors: Emily Ratliff, IBM
Version: 1.0
Created: 11 July 2019
Last Modified: 22 September 2019

Procedure Examples

Name Description

FlexiSpy is capable of hiding SuperSU's icon if it is installed and visible. FlexiSpy can also hide its own icon to make detection and the uninstallation process more difficult.[5][6]


Gustuff hides its icon after installation. [8]


Rotexy hides its icon after first launch.[7]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings.