1. Home
  2. Techniques
  3. Mobile
  4. Abuse Elevation Control Mechanism
  5. Device Administrator Permissions

Abuse Elevation Control Mechanism: Device Administrator Permissions

Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for Endpoint Denial of Service, factory resetting the device for File Deletion and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.

Device administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as Input Injection, an app can programmatically grant itself administrator permissions without any user input.

ID: T1626.001
Sub-technique of:  T1626
Tactic Type: Post-Adversary Device Access
Tactic: Privilege Escalation
Platforms: Android
MTC ID: APP-22
Version: 1.1
Created: 01 April 2022
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu can modify system settings to give itself device administrator privileges.[1]
S0540 Asacub

Asacub can request device administrator permissions.[2]
S9004 Crocodilus

Crocodilus has the ability to request device administrator permissions.[3]
S0522 Exobot

Exobot can request device administrator permissions.[4]
S0536 GPlayed

GPlayed can request device administrator permissions.[5]
S1077 Hornbill

Hornbill can request device administrator privileges.[6]
S0539 Red Alert 2.0

Red Alert 2.0 can request device administrator permissions.[7]
S1082 Sunbird

Sunbird can request device administrator privileges. [6]
S0318 XLoader for Android

XLoader for Android requests Android Device Administrator access.[8]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.[9]
M1011 User Guidance

Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0630 Detection of Device Administrator Permissions AN1701

Correlates (1) activation of Device Administrator privileges by an application, (2) absence or mismatch of legitimate user interaction during the approval flow, and (3) immediate execution of administrator-level control actions (e.g., password reset, device lock, policy enforcement, prevention of uninstall). The defender observes a causal chain where an application transitions into a privileged device control role and rapidly exercises those capabilities outside expected user-driven patterns.

Application vetting services can check for the string BIND_DEVICE_ADMIN in the application’s manifest.

References

  1. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.
  2. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
  3. ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.
  4. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.
  5. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  1. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
  2. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.
  3. Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.
  4. Adrian Ludwig. (2016, May 19). What's new in Android security (M and N Version). Retrieved December 9, 2016.