Device Administrator Permissions

Adversaries may request device administrator permissions to perform malicious actions.

By abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device’s password for Device Lockout, factory resetting the device to Delete Device Data and any traces of the malware, disabling all of the device’s cameras, or make it more difficult to uninstall the app.[1]

Device administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as Input Injection, an app can programmatically grant itself administrator permissions without any user input.

ID: T1401
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android
MTC ID: APP-22
Version: 2.0
Created: 25 October 2017
Last Modified: 24 November 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
S0540 Asacub

Asacub can request device administrator permissions.[2]

S0522 Exobot

Exobot can request device administrator permissions.[3]

S0536 GPlayed

GPlayed can request device administrator permissions.[4]

S0485 Mandrake

Mandrake can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.[5]

S0317 Marcher

Marcher requests Android Device Administrator access.[6]

S0286 OBAD

OBAD abuses device administrator access to make it more difficult for users to remove the application.[7]

S0539 Red Alert 2.0

Red Alert 2.0 can request device administrator permissions.[8]

S0318 XLoader for Android

XLoader for Android requests Android Device Administrator access.[9]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Application vetting can check for the string BIND_DEVICE_ADMIN in the application’s manifest.

M1006 Use Recent OS Version

Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.[10]

M1011 User Guidance

Users should be told that it is very rare for an app to request device administrator permissions, and that any requests for the permissions should be scrutinized.

Detection

Users can see when an app requests device administrator permissions. Users can also view which apps have device administrator permissions in the settings menu.

References