Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)
Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.
Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's performGlobalAction(int)
API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.
-
Case 1: If the integer argument passed to the API call is
2
orGLOBAL_ACTION_HOME
, the malicious application may direct the user to the home screen from settings screen -
Case 2: If the integer argument passed to the API call is
1
orGLOBAL_ACTION_BACK
, the malicious application may emulate the back press event
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) | Attack Pattern | Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9) | Attack Pattern | 1 |