Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0286: OBAD

OBAD is an Android malware family. [1]

MobileS0286MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

OBAD matters because it represents Android malware behavior that can be hard to analyze and hard for users to remove once installed. For security leaders, the practical issue is not just a single malware family; it is whether mobile security, help desk, SOC, and incident response processes can identify suspicious Android applications, preserve evidence, and recover devices when malware uses obfuscation and removal-resistance techniques.

Executive priority

Prioritize OBAD as a mobile resilience and control-validation use case. Leaders should ask whether managed mobile devices have enforceable application governance, whether device administration or accessibility abuse would be visible, and whether incident responders have a defined path to contain and recover affected Android devices. This is also useful compliance evidence for mobile device management, malware defense, and incident response readiness, but the ATT&CK entry does not provide impact, prevalence, or active exploitation claims.

Technical view

ATT&CK identifies OBAD as an Android malware family and relates it to Obfuscated Files or Information (T1406) and Prevent Application Removal (T1629.001). SOC and IR teams should validate visibility into Android application inventory, installation events, application metadata, device administrator status, accessibility permission changes, user reports of uninstall failures, and mobile security alerts. Detection engineering should focus on behavioral evidence around apps that are difficult to inspect or uninstall rather than relying only on static family naming, especially because the official ATT&CK object provides no detection guidance and no tactics.

Likely telemetry

  • Android application inventory and installation/update history
  • Mobile device management or enterprise mobility management records
  • Device administrator activation/deactivation events where available
  • Accessibility permission changes where available
  • Mobile threat defense or endpoint security alerts for suspicious Android applications

Detection direction

  • Validate whether Android telemetry can show applications gaining device administration or accessibility capabilities and whether those changes are alertable.
  • Tune for combinations of suspicious mobile app behavior: obfuscated or difficult-to-analyze packages plus resistance to removal.
  • Confirm analysts can distinguish legitimate device administration applications from unexpected or user-installed applications requesting elevated control.
  • Do not assume signature-based detection is sufficient; the related technique context emphasizes obfuscation as an evasion concern.
  • Because ATT&CK provides no official detection text for OBAD, use local telemetry, mobile controls, and incident history to define practical detection logic.

Mitigation priorities

  • Maintain controlled Android application sourcing and inventory for managed devices.
  • Restrict or review applications that request device administration or accessibility capabilities, consistent with business requirements.
  • Ensure mobile device management processes can quarantine, retire, or recover devices when an application cannot be removed normally.
  • Prepare IR playbooks for suspicious Android applications, including evidence capture, user communication, containment, and device recovery decisions.
  • Use this object as a validation case for mobile security monitoring and compliance evidence rather than as proof of current exposure.
Analyst notes and limits

The strongest decision value comes from the relationships: OBAD is tied to obfuscation and preventing application removal. These behaviors create operational friction for SOC triage and device recovery. Security teams should use this as a test case for Android mobile telemetry and response workflows, not as a standalone indicator of campaign activity.

The supplied ATT&CK object is sparse: platforms and tactics are not specified in the main object, aliases and labels are absent, and official detection is not provided. The Android context is supported by the official description and related Prevent Application Removal technique. Local environment data is required to assess exposure, coverage, and response options.

Official MITRE ATT&CK definition

OBAD

OBAD is an Android malware family. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Mobile T1629.001 Prevent Application Removal Sub-technique

OBAD abuses device administrator access to make it more difficult for users to remove the application.CitationTrendMicro-Obad
Mobile T1406 Obfuscated Files or Information

OBAD contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.CitationTrendMicro-Obad
Relationship explorer

All related ATT&CK context

uses · Technique T1629.001: Prevent Application Removal Mobile uses · Technique T1406: Obfuscated Files or Information Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
63ecbc9144acfa05...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 63ecbc9144ac…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TrendMicro-Obad

    Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.

    Open source URL
  2. [2]
    OBAD

    (Citation: TrendMicro-Obad)

  3. [3]
    mitre-attack S0286
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use