Abuse Elevation Control Mechanism: Device Administrator Permissions

Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for Endpoint Denial of Service, factory resetting the device for File Deletion and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.

Device administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as Input Injection, an app can programmatically grant itself administrator permissions without any user input.

ID: T1626.001
Sub-technique of:  T1626
Tactic Type: Post-Adversary Device Access
Platforms: Android
Version: 1.0
Created: 01 April 2022
Last Modified: 06 April 2022

Procedure Examples

ID Name Description
S0540 Asacub

Asacub can request device administrator permissions.[1]

S0522 Exobot

Exobot can request device administrator permissions.[2]

S0536 GPlayed

GPlayed can request device administrator permissions.[3]

S0317 Marcher

Marcher requests Android Device Administrator access.[4]

S0539 Red Alert 2.0

Red Alert 2.0 can request device administrator permissions.[5]

S0318 XLoader for Android

XLoader for Android requests Android Device Administrator access.[6]


ID Mitigation Description
M1006 Use Recent OS Version

Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.[7]

M1011 User Guidance

Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately.


Users are prompted for approval when an application requests device administrator permissions. Users can see which applications are registered as device administrators in the device settings. Application vetting services can check for the string BIND_DEVICE_ADMIN in the application’s manifest. This indicates it can prompt the user for device administrator permissions.