DET0598: Detection of Prevent Application Removal
DET0598 is a mobile ATT&CK detection strategy for identifying attempts to prevent removal of an application, specifically related to Android technique T162...
Analyst context for executives and security teams
DET0598 is a mobile ATT&CK detection strategy for identifying attempts to prevent removal of an application, specifically related to Android technique T1629.001. The business issue is persistence: if a malicious or unwanted mobile app can stop users from uninstalling it, incident response and device recovery become harder, especially for managed mobile fleets and high-risk users.
Executive priority
Treat this as a mobile resilience and response-readiness concern rather than a standalone alerting rule. Leaders should ask whether the organization can prove which Android devices allow device administrator or accessibility privileges, whether users and help desks can remove suspicious apps quickly, and whether mobile management evidence is available during an investigation. This matters for continuity, compliance evidence, and incident decision-making because removal-resistant apps can extend dwell time and complicate containment.
Technical view
The official ATT&CK object provides no detection text, platforms, or tactics for DET0598, so implementation must be derived from the related technique context: Prevent Application Removal on Android. SOC, mobile security, and IR teams should validate visibility into applications granted device administrator capabilities and accessibility API permissions, and should review events or states indicating that an app cannot be uninstalled until privileges are deactivated. Detection content should be tested against legitimate enterprise device-management apps to avoid treating approved management controls as malicious by default.
Likely telemetry
- Android device administrator status and privilege assignments
- Android accessibility service enablement for installed applications
- Mobile device management or enterprise mobility management inventory and compliance records
- Application install, uninstall, deactivation, and removal-failure events where available
- Help desk or user reports indicating an application cannot be removed
Detection direction
- Build detections around unexpected or unapproved apps with device administrator privileges or accessibility permissions on Android devices.
- Compare privileged mobile apps against an approved enterprise baseline, especially for MDM, security, and accessibility-related tools.
- Validate whether telemetry records failed uninstall attempts or required privilege deactivation before removal; this may be a key blind spot.
- Tune carefully for legitimate administrative and accessibility use cases to reduce false positives.
- Because DET0598 has no official detection details, require local testing to confirm what the mobile platform, MDM, and SOC tooling can actually observe.
Mitigation priorities
- Maintain an approved baseline for Android applications permitted to use device administrator or accessibility capabilities.
- Use mobile management policy and review processes to restrict or monitor high-risk application privileges where supported.
- Ensure incident response procedures include steps to identify privileged mobile apps and coordinate safe removal through approved management channels.
- Train help desk and mobile support teams to escalate cases where users cannot uninstall an application.
- Preserve mobile management and application-inventory evidence for audit, compliance, and post-incident review.
Analyst notes and limits
This take is based on the DET0598 detection-strategy object and its relationship to T1629.001 Prevent Application Removal. The related technique description specifically references abuse of Android device administration APIs and accessibility APIs to prevent application removal. No active exploitation, actor attribution, or guaranteed detection coverage is implied.
The DET0598 object does not include an official description, official detection guidance, tactics, or platforms. Android context comes from the related T1629.001 technique relationship. Organizations must validate exact telemetry availability and control behavior in their own mobile management and SOC environment.
Detection of Prevent Application Removal
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1629.001 | Prevent Application Removal Sub-technique | This object detects Prevent Application Removal. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cc9a45a8d18b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0598Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.