Impair Defenses: Prevent Application Removal

ID Name
T1629.001 Prevent Application Removal
T1629.002 Device Lockout
T1629.003 Disable or Modify Tools

Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.

Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's performGlobalAction(int) API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.

  • Case 1: If the integer argument passed to the API call is 2 or GLOBAL_ACTION_HOME, the malicious application may direct the user to the home screen from settings screen

  • Case 2: If the integer argument passed to the API call is 1 or GLOBAL_ACTION_BACK, the malicious application may emulate the back press event

ID: T1629.001
Sub-technique of:  T1629
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
MTC ID: APP-22
Contributors: Shankar Raman, Gen Digital and Abhinand, Amrita University
Version: 1.2
Created: 01 April 2022
Last Modified: 28 September 2023

Procedure Examples

ID Name Description
S0422 Anubis

Anubis may prevent malware's uninstallation by abusing Android’s performGlobalAction(int) API call.

S1083 Chameleon

Chameleon can prevent application removal by abusing Accessibility Services.[1]

S1067 FluBot

FluBot can use Accessibility Services to make removal of the malicious app difficult.[2]

S0406 Gustuff

Gustuff may prevent application removal by abusing Android’s performGlobalAction(int) API call.

S0485 Mandrake

Mandrake can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.[3]

S0286 OBAD

OBAD abuses device administrator access to make it more difficult for users to remove the application.[4]

S1062 S.O.V.A.

S.O.V.A. can resist removal by going to the home screen during uninstall.[5]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.

M1006 Use Recent OS Version

Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them.

M1011 User Guidance

Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services may detect API calls to performGlobalAction(int).

DS0042 User Interface System Settings

The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.

References