Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1630.001: Uninstall Malicious Application

Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: * Abusing device owner permissions to perform silent uninstallation using device owner API calls. * Abusing root permissions to delete files from the filesystem. * Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.

MobileT1630.001Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This Android mobile behavior matters because malware may remove itself from a device after achieving its objective or when it wants to reduce visible evidence. For leaders, the risk is not just the uninstall event; it is the potential loss of mobile forensic artifacts, reduced security reporting, and delayed confirmation of what happened on a user device.

Executive priority

Prioritize this where Android devices access enterprise resources, financial workflows, or identity/2FA processes. The supplied ATT&CK relationships show this behavior is used by multiple Android banking malware families, so security leaders should ask whether mobile posture controls, attestation, patch enforcement, and incident response processes can still make access decisions and preserve evidence when a suspicious app disappears.

Technical view

T1630.001 is an Android sub-technique of Indicator Removal on Host. ATT&CK describes three paths: abusing device owner permissions for silent uninstall, abusing root permissions to delete files, or abusing Accessibility Service to confirm an uninstall flow. Because no official detection text is provided, SOC and mobile security teams should validate coverage against the related detection strategy DET0690 and test whether EMM/MDM, mobile threat defense, and device telemetry can correlate app removal with device-owner status, root indicators, Accessibility Service abuse, and prior suspicious app presence.

Likely telemetry

  • Android application install/uninstall inventory and timestamps from EMM/MDM or mobile security tooling
  • Device owner / device administrator status changes and privileged management actions
  • Accessibility Service enablement, permission changes, and suspicious interaction patterns around uninstall prompts
  • Root or device integrity signals, including attestation failures where available
  • Filesystem or application package disappearance where mobile forensic collection is available

Detection direction

  • Validate that uninstall events are retained even when the app that generated prior alerts is no longer present.
  • Correlate app removal with recent Accessibility Service enablement, device owner permission abuse, root indicators, or attestation failure.
  • Tune triage to distinguish normal user-driven app removal from uninstall activity involving suspicious permissions or prior mobile threat alerts.
  • Confirm DET0690 applicability locally; the relationship exists, but ATT&CK did not provide detection implementation details in the supplied fields.
  • Watch for blind spots where personal/BYOD Android devices, unmanaged devices, or devices without mobile security agents cannot provide reliable uninstall or integrity telemetry.

Mitigation priorities

  • Use security update policy as a baseline: require recent Android security patch levels and restrict enterprise access from devices that are no longer receiving updates.
  • Enable remote attestation where available and block or limit enterprise access for devices that fail integrity checks.
  • Provide user guidance on risky behaviors relevant to this technique, especially granting Accessibility Service, device owner, or other high-risk permissions to untrusted apps.
  • Ensure incident response playbooks account for self-uninstalling mobile malware by preserving available EMM/MDM, attestation, and mobile security logs quickly.
Analyst notes and limits

The relationship set is meaningful: this behavior is used by several Android malware entries in ATT&CK, including TrickMo, Cerberus, SharkBot, S.O.V.A., Escobar, BRATA, and Crocodilus. That supports treating self-uninstall behavior as a mobile threat hunting and IR readiness concern, especially for Android devices involved in sensitive access or financial workflows.

ATT&CK provides no official detection text and no tactics for this sub-technique in the supplied object. The detection strategy relationship is named but not detailed here. Local platform management, logging depth, BYOD policy, and mobile security tooling will determine whether this behavior is observable.

Official MITRE ATT&CK definition

Uninstall Malicious Application

Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: * Abusing device owner permissions to perform silent uninstallation using device owner API calls. * Abusing root permissions to delete files from the filesystem. * Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Mobile T1630 Indicator Removal on Host This object subtechnique of Indicator Removal on Host.
Mobile T1576 Uninstall Malicious Application Uninstall Malicious Application revoked by this object.
Associated objects

Groups, software, and campaigns

Malware Mobile

S1094: BRATA

BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]

Android
Malware Mobile

S1055: SharkBot

SharkBot is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.[1]

Android
Malware Mobile

S1062: S.O.V.A.

S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]

Android
Malware Mobile

S0427: TrickMo

TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.[1]

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.[1]

Android
Malware Mobile

S9004: Crocodilus

Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]

Android
Malware Mobile

S0480: Cerberus

Cerberus is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of Cerberus claim was used in private operations for two years.[1]

Android
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1001: Security Updates Mobile uses · Malware S1094: BRATA Mobile uses · Malware S1055: SharkBot Mobile subtechnique of · Technique T1630: Indicator Removal on Host Mobile uses · Malware S1062: S.O.V.A. Mobile uses · Malware S0427: TrickMo Mobile mitigates · Mitigation M1011: User Guidance Mobile uses · Malware S9004: Crocodilus Mobile detects · Detection Strategy DET0690: Detection of Uninstall Malicious Application Mobile revoked by · Technique T1576: Uninstall Malicious Application Mobile uses · Malware S0480: Cerberus Mobile uses · Malware S1092: Escobar Mobile mitigates · Mitigation M1002: Attestation Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1001: Security Updates

Install security updates in response to discovered vulnerabilities.

Purchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.

Decommission devices that will no longer receive security updates.

Limit or block access to enterprise resources from devices that have not installed recent security updates.

On Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.

Mitigation Mobile

M1011: User Guidance

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

Mitigation Mobile

M1002: Attestation

Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
27a744b1b8538c11...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 27a744b1b853…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    NIST Mobile Threat Catalogue APP-43
    Open source URL
  2. [2]
    mitre-attack T1630.001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use