1. Home
  2. Techniques
  3. Mobile
  4. Impair Defenses
  5. Disable or Modify Tools

Impair Defenses: Disable or Modify Tools

ID Name
T1629.001 Prevent Application Removal
T1629.002 Device Lockout
T1629.003 Disable or Modify Tools

Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.

ID: T1629.003
Sub-technique of:  T1629
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
Version: 1.1
Created: 01 April 2022
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu can disable Play Protect.[1]
S1214 Android/SpyAgent

Android/SpyAgent has attempted to detect anti-spam call applications.[2]

S0422 Anubis

Anubis can modify administrator settings and disable Play Protect.[3]
S1094 BRATA

BRATA can remove installed antivirus applications as well as disable Google Play Protect.[4][5]
C0033 C0033

During C0033, PROMETHIUM used StrongPity to modify permissions on a rooted device and tried to disable the SecurityLogAgent application.[6]

S0480 Cerberus

Cerberus disables Google Play Protect to prevent its discovery and deletion in the future.[7]
S1083 Chameleon

Chameleon has the ability to disable Google Play Protect.[8][9]
S1054 Drinik

Drinik can use Accessibility Services to disable Google Play Protect.[10]
S0420 Dvmap

Dvmap can turn off VerifyApps, and can grant Device Administrator permissions via commands only, rather than using the UI.[11]
S1067 FluBot

FluBot can disable Google Play Protect to prevent detection.[12][13]

S0485 Mandrake

Mandrake can disable Play Protect.[14]
S1195 SpyC23

SpyC23 has disabled play protect.[15]
S0494 Zen

Zen can modify the SELinux enforcement mode.[16]

Mitigations

ID Mitigation Description
M1010 Deploy Compromised Device Detection Method

Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.
M1001 Security Updates

Security updates frequently contain patches to vulnerabilities that can be exploited for root access.
M1004 System Partition Integrity

System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.
M1011 User Guidance

Users should be taught the dangers of rooting or jailbreaking their device.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0693 Detection of Disable or Modify Tools AN1806

Correlates (1) application acquisition or use of elevated control paths capable of altering defensive tooling or protected system state, such as device administration, root-enabled modification, or security-setting manipulation, (2) direct changes to security-tool configuration, service state, package state, or protected enforcement settings such as SELinux-relevant files or security-app components, and (3) immediate degradation, suppression, or disappearance of expected security telemetry while the device and initiating application remain active. The defender observes a causal chain where a security control is modified first, then monitoring or protection weakens, and subsequent activity continues under reduced defensive visibility.

References

  1. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.
  2. Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.
  3. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.
  4. Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.
  5. Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.
  6. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.
  7. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
  8. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  1. ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.
  2. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.
  3. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.
  4. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.
  5. Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.
  6. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  7. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.
  8. Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.