T1628.001: Suppress Application Icon
A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.
This behavior has been seen in the BankBot/Spy Banker family of malware.[1][2][3]
Beginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.[4][5]
Analyst context for executives and security teams
Suppress Application Icon matters because an Android app can be installed but intentionally absent from the normal launcher view, making it harder for users and help desks to notice or remove it. For organizations with employee-owned or managed Android devices, the decision issue is not just malware visibility; it is whether mobile security, support, and incident response processes rely too heavily on what a user can see on the home screen or app drawer.
Executive priority
Treat this as a mobile resilience and assurance gap: leaders should ask whether Android device inventories, user reporting paths, and incident response playbooks can identify installed applications even when no launcher icon is visible. The ATT&CK object notes Android 10 changes that inhibit some icon-hiding behavior, so OS currency is a practical control priority and an audit-friendly question for mobile risk management. Because multiple Android malware families and surveillanceware entries are related to this behavior, it is relevant to mobile banking, credential, privacy, and executive-device risk discussions without assuming current exposure.
Technical view
For SOC, mobile security, and IR teams, validate visibility into installed Android packages independent of launcher icons. The technique is Android-specific, has no ATT&CK detection text provided, and is a sub-technique of Hide Artifacts, so coverage should be tested around whether application inventory, package metadata, launcher activity state, OS version, work profile or fully managed device state, and user-facing app visibility can be compared. Android 10 behavior is important context: some hidden-icon cases may produce a synthesized launcher activity that opens the app details page, while system apps, apps requesting no permissions, apps without launcher activity, fully managed devices, or work profile cases may be fully hidden according to the supplied description.
Likely telemetry
- Android installed application/package inventory from device management or endpoint/mobile security tooling
- Launcher activity and app visibility metadata, including absence of launcher icon versus presence in system settings
- Android OS version and patch/version distribution across the fleet
- Device ownership and profile state, including fully managed devices and work profiles
- Application permission requests and whether an app has no launcher activity
Detection direction
- Do not rely on user-visible launcher icons as proof of installed-app state; compare installed packages against launcher-visible applications.
- Validate the related DET0714 strategy locally, because no official ATT&CK detection procedure is supplied in the object fields.
- Tune review logic for legitimate apps that hide icons to avoid drawer clutter or have no user-facing interface, as ATT&CK notes legitimate uses of these APIs under the parent Hide Artifacts technique.
- Prioritize anomalies where an app is installed, not visible in the launcher, and has other risk indicators available in local telemetry, such as unexpected permissions, unknown provenance, or user complaints; those additional indicators require local evidence not supplied by ATT&CK.
- Segment analysis by Android version because Android 10 introduced behavior that can limit or change icon hiding outcomes.
Mitigation priorities
- Prioritize M1006 Use Recent OS Version: measure Android version currency and reduce populations below versions that lack the Android 10 icon-hiding limitations described by ATT&CK.
- Apply M1011 User Guidance: teach users and support teams that launcher absence does not prove an app is absent, and direct them to installed-app settings or approved support channels.
- Ensure mobile incident response procedures include app inventory review from system or management views rather than screenshots of the launcher.
- For managed Android programs, validate policy and tooling assumptions separately for fully managed devices and work profiles, since the supplied Android behavior differs in those states.
Analyst notes and limits
This technique is a narrow but useful signal of mobile defense maturity: can the organization see installed apps when the user cannot? The relationship set shows use by numerous Android malware, banking trojan, spyware, adware, and surveillanceware software entries, but that should be treated as historical ATT&CK relationship context rather than evidence of current targeting in any environment.
Official ATT&CK detection text is not provided, tactics are not specified, and the supplied relationship DET0714 does not include detailed detection logic here. Any conclusion about maliciousness, active exploitation, affected users, or detection coverage requires local mobile telemetry, app provenance, and enterprise policy context.
Suppress Application Icon
A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.
This behavior has been seen in the BankBot/Spy Banker family of malware.[1][2][3]
Beginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.[4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1628 | Hide Artifacts | This object subtechnique of Hide Artifacts. |
| Mobile | T1508 | Suppress Application Icon | Suppress Application Icon revoked by this object. |
Groups, software, and campaigns
S0550: DoubleAgent
DoubleAgent is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.[1]
S0480: Cerberus
S0655: BusyGasper
BusyGasper is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.[1]
S0525: Android/AdDisplay.Ashas
Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. [1]
S0509: FakeSpy
S0423: Ginp
S1062: S.O.V.A.
S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]
S0302: Twitoor
S0440: Agent Smith
Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.[1]
S0408: FlexiSpy
S0411: Rotexy
S1195: SpyC23
SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]
There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | ba4190bd3f49… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
android-trojan-steals-paypal-2fa
Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.
Open source URL -
[2]
sunny-stolen-credentials
Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.
Open source URL -
[3]
bankbot-spybanker
NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved September 12, 2024.
Open source URL -
[4]
Android 10 Limitations to Hiding App Icons
Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022.
Open source URL -
[5]
LauncherApps getActivityList
Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022.
Open source URL -
[6]
mitre-attack T1628.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.