Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application’s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.

ID: T1628
Sub-techniques:  T1628.001, T1628.002, T1628.003
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
Version: 1.1
Created: 30 March 2022
Last Modified: 20 March 2023

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services could potentially detect the usage of APIs intended for artifact hiding.

DS0042 User Interface System Settings

The user can examine the list of all installed applications in the device settings.