T1628: Hide Artifacts
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application’s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.
Analyst context for executives and security teams
Hide Artifacts matters because a malicious Android application can make itself or its outputs less visible to the user, reducing the chance that the user notices, reports, or removes it. For leaders, this is a mobile resilience and incident-response issue: if enterprise mobile visibility depends mainly on users seeing suspicious apps or files, this behavior creates a material blind spot.
Executive priority
Prioritize validation of mobile device inventory, application visibility, and incident response procedures for Android devices. This technique supports persistence of unwanted applications by reducing user awareness, so decision-makers should ask whether managed devices can show installed applications and suspicious hidden media/files independently of the normal launcher or Gallery view. It also affects audit evidence: organizations should be able to demonstrate that mobile security monitoring does not rely only on user-visible artifacts.
Technical view
ATT&CK lists this as an Android mobile technique with no tactic specified and no official detection text. The related sub-techniques give the practical scope: suppressing an application icon, evading user observation, and concealing multimedia files such as through Android behaviors that keep media from appearing in Gallery-like views. SOC, detection engineering, and IR teams should validate DET0640-related coverage where available, but should not assume coverage from the parent technique alone. Confirm whether mobile telemetry can enumerate installed packages, launcher visibility changes, suspicious hidden media locations, and user-evasion indicators independent of what the device user can see.
Likely telemetry
- Android mobile device management or enterprise mobility inventory showing installed applications/packages
- Mobile threat defense or endpoint telemetry for application metadata and visibility state
- Application install/update history and configuration changes
- File system or media index evidence for hidden or non-indexed multimedia locations where available
- User reports of missing launcher icons, unexpected app behavior, or difficult-to-remove applications
Detection direction
- Validate the related detection strategy DET0640 if available in the local ATT&CK knowledge base, but note that no official detection procedure was supplied in this object.
- Do not rely on launcher icons, app drawer visibility, or Gallery visibility as proof that an app or captured media is absent.
- Tune detections around discrepancies between installed applications and user-visible launcher entries, while allowing for legitimate applications that intentionally hide icons because they have no user-facing interface.
- For multimedia concealment, look for evidence that files exist outside normal user-visible media views; treat findings as triage leads because legitimate applications may also create non-indexed folders.
- During mobile IR, include package inventory and file/media review rather than depending only on user screenshots or visual inspection of the device.
Mitigation priorities
- Establish authoritative Android device and application inventory for managed devices.
- Require mobile security tooling or MDM/EMM controls that can report installed applications independently of launcher visibility.
- Define IR collection steps for Android cases that include package enumeration and review of hidden or non-indexed media artifacts where available.
- Educate help desk and SOC teams that a missing launcher icon does not prove an application is absent or removed.
- Use policy and application governance to reduce unmanaged or untrusted applications on enterprise Android devices, while accounting for legitimate apps that may not expose a launcher icon.
Analyst notes and limits
The supplied ATT&CK object is a parent mobile technique for Android. The most useful defensive context comes from its sub-techniques: Suppress Application Icon, User Evasion, and Conceal Multimedia Files. The object also has a relationship to DET0640, but the detailed detection content was not supplied here, so this take treats it as a pointer for validation rather than as a guaranteed analytic.
Official detection text, tactics, permissions, data sources, mitigations, and detailed DET0640 content were not provided in the supplied fields. Local Android management architecture, mobile security tooling, BYOD policy, and forensic access will determine whether the suggested telemetry and validation steps are feasible.
Hide Artifacts
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application’s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | Suppress Application Icon subtechnique of this object. |
| Mobile | T1628.003 | Conceal Multimedia Files Sub-technique | Conceal Multimedia Files subtechnique of this object. |
| Mobile | T1628.002 | User Evasion Sub-technique | User Evasion subtechnique of this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 940d03f8d8e6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1628Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.