1. Home
  2. Techniques
  3. Mobile
  4. Indicator Removal on Host
  5. Disguise Root/Jailbreak Indicators

Indicator Removal on Host: Disguise Root/Jailbreak Indicators

ID Name
T1630.001 Uninstall Malicious Application
T1630.002 File Deletion
T1630.003 Disguise Root/Jailbreak Indicators

An adversary could use knowledge of the techniques used by security software to evade detection.[1][2] For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.[3]

ID: T1630.003
Sub-technique of:  T1630
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android, iOS
MTC ID: EMM-5
Version: 1.1
Created: 08 April 2022
Last Modified: 20 March 2023
Version Permalink

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0013 Sensor Health Host Status

Mobile security products can use attestation to detect compromised devices.

References

  1. Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.
  2. Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.
  1. Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.