T1626.001: Device Administrator Permissions
Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for Endpoint Denial of Service, factory resetting the device for File Deletion and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.
Device administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as Input Injection, an app can programmatically grant itself administrator permissions without any user input.
Analyst context for executives and security teams
Device Administrator Permissions matter because an Android app that convinces or forces a user into granting device administrator rights can gain control that affects device availability, privacy, and recoverability. In business terms, this can turn a mobile malware incident into a lockout, device wipe, camera disablement, or hard-to-remove app problem, complicating incident response and potentially disrupting mobile-dependent workflows.
Executive priority
Security leaders should treat this as a mobile privilege-escalation control issue, not just an app-risk issue. Priority questions are: which managed Android devices allow device administrator approval, how quickly can the organization identify apps holding those rights, are users trained to recognize risky permission prompts, and are mobile OS versions kept current enough to benefit from security architecture improvements. This is especially relevant where mobile devices support executive communications, financial workflows, field operations, or regulated data access.
Technical view
For SOC, mobile security, and IR teams, validate visibility into Android device administrator state and app permission changes. ATT&CK provides no official detection text for this sub-technique, but the relationship to DET0630 indicates a detection strategy exists for Device Administrator Permissions. Detection engineering should focus on identifying newly granted or suspicious device administrator privileges, apps that request powerful device admin actions such as password reset, factory reset, camera disablement, or uninstall resistance, and cases where permission approval appears inconsistent with normal user behavior. Because the object is a sub-technique of Abuse Elevation Control Mechanism, triage should consider it as evidence of elevated mobile control rather than an isolated permission event.
Likely telemetry
- Android device administrator app inventory and state
- Mobile device management or enterprise mobility management records for enrolled Android devices
- Mobile security alerts about high-risk app permissions or administrator activation
- App installation and package metadata for Android applications
- User-reported permission prompts or unexpected device behavior
Detection direction
- Confirm whether managed Android telemetry exposes which apps hold device administrator permissions and when those rights were granted or revoked.
- Baseline legitimate enterprise apps that require device administrator rights so alerts can focus on unexpected, newly installed, or user-side-loaded applications.
- Tune for high-risk combinations: device administrator permission plus banking-trojan-like or broad mobile malware behavior referenced by related software families, without assuming those families are present locally.
- Investigate cases where device administrator approval may have been granted through other behavior such as Input Injection, as described by MITRE, while avoiding assumptions without device evidence.
- Account for false positives from legitimate management, security, or productivity apps that use Android device administration features.
Mitigation priorities
- Prioritize use of recent mobile OS versions, aligned to M1006, because newer mobile operating systems may include patches and security architecture improvements that reduce exposure to observed techniques.
- Provide user guidance, aligned to M1011, on approving Android device administrator prompts only for expected and trusted apps and reporting unexpected permission requests.
- Maintain an approved list of enterprise apps that are allowed to hold device administrator privileges and review exceptions during mobile risk assessments.
- Ensure incident response playbooks include steps for devices where malicious apps are difficult to uninstall, devices are locked, or data has been wiped.
- For managed fleets, verify that mobile device management policy, app vetting, and enrollment controls support visibility and response for device administrator abuse.
Analyst notes and limits
ATT&CK lists this as Android-only and as a sub-technique of Abuse Elevation Control Mechanism. Related software includes multiple Android malware families such as XLoader for Android, Exobot, GPlayed, Red Alert 2.0, Asacub, AbstractEmu, Hornbill, Sunbird, and Crocodilus, showing that the behavior is represented across reported mobile malware, but this does not prove presence in any specific environment. The prior T1401 object is revoked by this object, so current reporting should use T1626.001.
The official ATT&CK object does not specify tactics and provides no official detection text. Practical detection quality depends on local Android management, mobile security, and incident response telemetry. The supplied fields support Android coverage only and do not support claims about other platforms, active exploitation in a given organization, or guaranteed detection.
Device Administrator Permissions
Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for Endpoint Denial of Service, factory resetting the device for File Deletion and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.
Device administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as Input Injection, an app can programmatically grant itself administrator permissions without any user input.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1401 | Device Administrator Permissions | Device Administrator Permissions revoked by this object. |
| Mobile | T1626 | Abuse Elevation Control Mechanism | This object subtechnique of Abuse Elevation Control Mechanism. |
Groups, software, and campaigns
S1082: Sunbird
S0539: Red Alert 2.0
Red Alert 2.0 is a banking trojan that masquerades as a VPN client.[1]
S0536: GPlayed
S9004: Crocodilus
Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]
S1061: AbstractEmu
AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]
S0522: Exobot
S0318: XLoader for Android
XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.[1][2] It is tracked separately from the XLoader for iOS.
S1077: Hornbill
S0540: Asacub
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 7c388b7eb452… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NIST Mobile Threat Catalogue APP-22Open source URL
-
[2]
mitre-attack T1626.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.