Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.
| ID | Name | Description |
|---|---|---|
| S1225 | CherryBlos |
CherryBlos has sent the victim back to the home screen when the victim navigates to the malicious application's settings and has automatically approved any permission requests by clicking on the "Allow" button when a system dialogue appears.[1] |
| S1231 | GodFather |
GodFather has intercepted API returns from banking apps that detect malicious services, and modifies the methods to return back an empty list hiding the presence of the malware and other active services.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1010 | Deploy Compromised Device Detection Method |
Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action. |
| M1012 | Enterprise Policy |
An EMM/MDM can use the Android |
| M1001 | Security Updates |
Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses. |
| M1004 | System Partition Integrity |
System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files. |
| M1011 | User Guidance |
Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0687 | Detection of Impair Defenses | AN1797 |
Application vetting can detect many techniques associated with impairing device defenses.[3] |