Impair Defenses

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.

ID: T1629
Sub-techniques:  T1629.001, T1629.002, T1629.003
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
MTC ID: APP-22
Version: 1.1
Created: 01 April 2022
Last Modified: 20 March 2023

Mitigations

ID Mitigation Description
M1010 Deploy Compromised Device Detection Method

Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.

M1012 Enterprise Policy

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.

M1001 Security Updates

Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses.

M1004 System Partition Integrity

System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.

M1011 User Guidance

Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting can detect many techniques associated with impairing device defenses.[1]

DS0009 Process Process Termination

Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.

References