Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.
| ID | Name | Description |
|---|---|---|
| S1083 | Chameleon |
Chameleon can remove artifacts of its presence and uninstall itself.[1] |
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation |
Attestation can detect unauthorized modifications to devices. Mobile security software can then use this information and take appropriate mitigation action. |
| M1001 | Security Updates |
Security updates typically provide patches for vulnerabilities that could be abused by malicious applications. |
| M1011 | User Guidance |
Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | Permissions Requests |
Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity. |
| DS0042 | User Interface | System Settings |
The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. |