Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.
|M1010||Deploy Compromised Device Detection Method||
Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.
Security updates frequently contain patches to vulnerabilities that can be exploited for root access.
|M1004||System Partition Integrity||
System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.
Users should be taught the dangers of rooting or jailbreaking their device.
Users can view a list of active device administrators in the device settings.