T1628.002: User Evasion
Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device.
While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.
Analyst context for executives and security teams
User Evasion is an Android mobile evasion behavior where malicious apps try to stay unnoticed by hiding activity from the person using the device. The practical risk is persistence: if suspicious behavior stops when the user is interacting with the phone, the compromise can remain installed longer and may be harder for help desk, SOC, or incident responders to confirm from user reports alone.
Executive priority
Treat this as a mobile resilience and visibility issue, not just a malware detail. Organizations that rely on Android devices for workforce access, financial workflows, executive communications, or regulated data should ask whether their mobile security program can identify compromised devices even when the user sees nothing abnormal. Priority should go to validating EMM/MDM, mobile security, and compromised-device detection evidence before an incident, because ATT&CK provides no generic detection text for this sub-technique.
Technical view
This sub-technique applies to Android and sits under Hide Artifacts. The supplied description highlights abuse of device motion sensors such as accelerometer or gyroscope to infer user interaction and pause visible or suspicious activity while the device is in use. SOC and IR teams should validate DET0699-aligned detection strategy coverage if available in their ATT&CK mapping, and correlate mobile app behavior, device posture, application inventory, and compromised-device signals rather than relying on user-visible symptoms. Relationship context shows multiple Android malware entries mapped to this behavior, including BusyGasper, FluBot, Hornbill, BRATA, SpyC23, and Crocodilus, so detections should be tested against behavior patterns rather than a single family name.
Likely telemetry
- Android device inventory and enrolled/unmanaged status from EMM/MDM or equivalent mobile management
- Installed application inventory, package metadata, and application reputation where available
- Mobile threat defense or compromised-device detection alerts
- Device integrity, rooting/jailbreak, and posture signals referenced by mitigation M1010
- Application runtime or behavioral telemetry that can show suspicious activity changing when the device is idle versus actively used
Detection direction
- Confirm whether the organization has a detection strategy mapped to DET0699 and what telemetry it actually requires.
- Look for mobile threats whose suspicious behavior is intermittent, especially activity that appears when the device is idle and quiets when the user interacts with it.
- Do not depend on user complaints or visible app artifacts; this behavior is designed to reduce what the user can observe.
- Tune investigations to correlate app inventory, device posture, compromised-device signals, and timing patterns rather than treating sensor use alone as malicious, because motion sensors can have legitimate uses and ATT&CK notes access may not require user permission.
- Account for blind spots on unmanaged Android devices, devices without mobile security telemetry, and environments where EMM/MDM only records inventory but not behavioral evidence.
Mitigation priorities
- Prioritize M1010: deploy a compromised-device detection method using built-in device mechanisms, mobile security applications, EMM/MDM capabilities, or other enterprise methods as appropriate.
- Validate that mobile management can identify suspicious or compromised Android devices even when the user reports no visible symptoms.
- Use layered controls because the supplied mitigation notes that some methods may be trivial to evade while others are more sophisticated.
- Maintain accurate Android device enrollment and application inventory so IR teams can scope affected devices quickly.
- For higher-risk users or workflows, require stronger mobile posture checks before access to sensitive enterprise resources.
Analyst notes and limits
This take is based only on the supplied ATT&CK v19.1 STIX fields and relationships for T1628.002. The object has no specified tactics and no official detection text, so recommendations focus on validation of mobile telemetry, DET0699 relationship coverage, and M1010 mitigation direction. Software relationships demonstrate that ATT&CK maps this behavior to several Android malware entries, but they should not be read as evidence of current activity in any specific environment.
Local control maturity determines practical coverage. ATT&CK does not provide detection logic, required data sources, false-positive examples, or detailed sensor-access indicators for this object. The supplied platform is Android only; no claims are made for other platforms.
User Evasion
Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device.
While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1628 | Hide Artifacts | This object subtechnique of Hide Artifacts. |
| Mobile | T1618 | User Evasion | User Evasion revoked by this object. |
Groups, software, and campaigns
S1195: SpyC23
SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]
There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.
S1077: Hornbill
S9004: Crocodilus
Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]
S1094: BRATA
BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]
S1067: FluBot
FluBot is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.[1][2] An international law enforcement operation of 11 countries eventually disrupted the spread of FluBot.[3]
S0655: BusyGasper
BusyGasper is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1e1ae79cf4f6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1628.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.