Hide Artifacts: User Evasion

Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device.

While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.

ID: T1628.002
Sub-technique of:  T1628
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
Version: 1.0
Created: 11 April 2022
Last Modified: 11 April 2022

Procedure Examples

ID Name Description
S1094 BRATA

BRATA can turn off or fake turning off the screen while performing malicious activities.[1]

S0655 BusyGasper

BusyGasper can utilize the device’s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen’s brightness as low as possible and muting the device.[2]

S1067 FluBot

FluBot can use locale.getLanguage() to choose the language for notifications and avoid user detection.[3]

S1077 Hornbill

Hornbill uses an infrequent data upload schedule to avoid user detection and battery drain. It also can delete on-device data after being sent to the C2, and stores collected data in hidden folders on external storage.[4]

Mitigations

ID Mitigation Description
M1010 Deploy Compromised Device Detection Method

Mobile security products that are part of the Samsung Knox for Mobile Threat Defense program could examine running applications while the device is idle, potentially detecting malicious applications that are running primarily when the device is not being used.

Detection

Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References