1. Home
  2. Techniques
  3. Mobile
  4. Hide Artifacts
  5. User Evasion

Hide Artifacts: User Evasion

ID Name
T1628.001 Suppress Application Icon
T1628.002 User Evasion
T1628.003 Conceal Multimedia Files

Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device.

While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.

ID: T1628.002
Sub-technique of:  T1628
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
Version: 1.0
Created: 11 April 2022
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1094 BRATA

BRATA can turn off or fake turning off the screen while performing malicious activities.[1]
S0655 BusyGasper

BusyGasper can utilize the device’s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen’s brightness as low as possible and muting the device.[2]
S9004 Crocodilus

Crocodilus has displayed a black screen overlay and has muted the sound of the device to conceal all malicious actions.[3]

S1067 FluBot

FluBot can use locale.getLanguage() to choose the language for notifications and avoid user detection.[4]
S1077 Hornbill

Hornbill uses an infrequent data upload schedule to avoid user detection and battery drain. It also can delete on-device data after being sent to the C2, and stores collected data in hidden folders on external storage.[5]
S1195 SpyC23

SpyC23 has used blank screen overlays to hide malicious activity from the user.[6]

Mitigations

ID Mitigation Description
M1010 Deploy Compromised Device Detection Method

Mobile security products that are part of the Samsung Knox for Mobile Threat Defense program could examine running applications while the device is idle, potentially detecting malicious applications that are running primarily when the device is not being used.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0699 Detection of User Evasion AN1815

Correlates (1) continuous or repeated use of motion or interaction-inference signals that do not require overt user-facing privilege prompts, (2) suppression of higher-risk behavior while user presence or active handling is inferred, and (3) resumption of background execution, sensor use, local data handling, or network activity only when device interaction falls below a threshold. The defender observes a causal chain where an application senses user/device interaction state and intentionally gates malicious behavior to user-inactive periods.

References

  1. Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.
  2. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.
  3. ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.
  1. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.
  2. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
  3. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.