1. Home
  2. Techniques
  3. Mobile
  4. Indicator Removal on Host

Indicator Removal on Host

ID Name
T1630.001 Uninstall Malicious Application
T1630.002 File Deletion
T1630.003 Disguise Root/Jailbreak Indicators

Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.

ID: T1630
Sub-techniques:  T1630.001, T1630.002, T1630.003
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android, iOS
MTC ID: APP-43
Version: 1.1
Created: 30 March 2022
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1083 Chameleon

Chameleon has removed artifacts of its presence and has the ability to uninstall itself.[1]
S1231 GodFather

GodFather has requested for the WRITE_EXTERNAL_STORAGE permission to delete files in the device’s external storage.[2]
C0054 Operation Triangulation

During Operation Triangulation, the threat actors deleted the initial exploitation message and exploit attachment.[3]

Mitigations

ID Mitigation Description
M1002 Attestation

Attestation can detect unauthorized modifications to devices. Mobile security software can then use this information and take appropriate mitigation action.

M1001 Security Updates

Security updates typically provide patches for vulnerabilities that could be abused by malicious applications.
M1011 User Guidance

Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0651 Detection of Indicator Removal on Host AN1733

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.
The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings.

AN1734

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.
The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings.

References

  1. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  2. Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.
  1. Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.