TECHNIQUES
- Home
- Techniques
- Mobile
- Uninstall Malicious Application
Uninstall Malicious Application
Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:
- Abusing device owner permissions to perform silent uninstallation using device owner API calls.
- Abusing root permissions to delete files from the filesystem.
- Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.
ID: T1576
Sub-techniques:
No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic:
Defense Evasion
Platforms: Android
MTC ID:
APP-43
Version: 1.0
Created: 04 May 2020
Last Modified: 26 May 2020
Procedure Examples
Name | Description |
---|---|
Cerberus | |
TrickMo |
TrickMo can uninstall itself from a device on command by abusing the accessibility service.[2] |
Mitigations
Mitigation | Description |
---|---|
Application Vetting |
Application vetting services could look for use of the accessibility service or features that typically require root access. |
Attestation |
Attestation can detect rooted devices. |
Security Updates |
Security updates typically provide patches for vulnerabilities that enable device rooting. |
User Guidance |
Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge. |
References
×