DET0714: Detection of Suppress Application Icon
This detection strategy is tied to mobile malware behavior where an Android application hides its launcher icon so users are less likely to notice or remov...
Analyst context for executives and security teams
This detection strategy is tied to mobile malware behavior where an Android application hides its launcher icon so users are less likely to notice or remove it. For leaders, the practical issue is not the icon itself; it is loss of user visibility and slower response when an unwanted or malicious mobile app remains installed. The ATT&CK detection-strategy object has no official detection text, so organizations should treat this as a coverage validation prompt rather than an out-of-the-box detection.
Executive priority
Prioritize this where Android devices are part of the business environment, especially managed mobile fleets, bring-your-own-device programs with corporate access, or roles where mobile compromise could affect identity, data access, or operational continuity. Security leaders should ask whether mobile management, SOC workflows, and incident response playbooks can identify installed apps that are not visible to users and can support evidence for removal, investigation, and compliance reporting.
Technical view
The only supplied relationship is that DET0714 detects T1628.001, Suppress Application Icon, in the mobile ATT&CK domain, with Android as the related platform. SOC and mobile security teams should validate whether they can inventory installed Android applications independently of the launcher UI and identify discrepancies between installed packages and user-visible application icons. Because the ATT&CK object provides no official detection logic, local detection engineering must define baselines, device-management data sources, and triage rules.
Likely telemetry
- Android installed application/package inventory from managed devices
- Mobile device management or enterprise mobility management records
- Mobile threat defense or endpoint security observations for Android devices, if deployed
- Device configuration and application visibility state where available
- User or helpdesk reports of suspicious battery, network, or account behavior where an app is not visible in the launcher
Detection direction
- Validate that app inventory does not depend only on what users can see in the launcher.
- Compare installed Android packages against expected business-approved applications and known management exceptions.
- Look for apps present on the device but absent from launcher-visible app lists, while accounting for legitimate system, administrative, or background-only applications.
- Tune triage to reduce false positives from legitimate apps that intentionally have no launcher icon or are managed components.
- Ensure SOC procedures can correlate mobile app inventory findings with identity events, user reports, and device-management status before escalation.
Mitigation priorities
- Maintain authoritative Android application inventory through mobile management where applicable.
- Define approved application baselines and removal workflows for unmanaged or unexpected apps.
- Ensure users have a clear reporting path for suspected hidden or hard-to-uninstall mobile apps.
- Prepare incident response steps for mobile app investigation, containment, and evidence preservation.
- Review mobile access policies so compromised or non-compliant devices can be restricted from sensitive business services.
Analyst notes and limits
This take is based on the ATT&CK detection strategy DET0714 and its relationship to T1628.001, Suppress Application Icon. The related technique states that malicious Android applications may hide their launcher icon without special permissions, making user discovery and uninstall harder. The detection-strategy object itself does not include official detection content, tactics, or platforms, so the actionable value is in validating local Android visibility and response processes.
ATT&CK supplied no official description or detection logic for DET0714, and the detection-strategy object lists no platform or tactic directly. Android platform context comes only from the related technique T1628.001. No claim is made that this behavior is currently active in any environment or that any specific control will guarantee detection.
Detection of Suppress Application Icon
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | This object detects Suppress Application Icon. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fc07af3c67ea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0714Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.