T1630.003: Disguise Root/Jailbreak Indicators
An adversary could use knowledge of the techniques used by security software to evade detection.[1][2] For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.[3]
Analyst context for executives and security teams
This mobile technique matters because it targets the trust organizations place in mobile security and MDM/EMM checks. If a rooted or jailbroken device can hide common indicators, such as by renaming expected artifacts, security tools may report a device as healthy when its integrity is actually questionable. For executives and security leaders, the issue is not only malware detection; it is whether mobile access decisions, BYOD controls, and compliance evidence rely too heavily on simple device-state indicators.
Executive priority
Prioritize this as a mobile assurance and control-validation issue for Android and iOS environments. Leaders should ask whether mobile access to business applications depends on jailbreak/root detection alone, whether those checks are independently validated, and whether SOC and incident response teams have a process for investigating suspicious mobile devices when MDM or security tooling reports incomplete or inconsistent status. This is especially relevant where mobile devices are used for privileged access, regulated data, or operational workflows.
Technical view
ATT&CK provides no official detection text or tactic mapping for T1630.003, but the relationship context identifies it as a sub-technique of Indicator Removal on Host and notes a related detection strategy, DET0710. SOC, mobile security, and IR teams should validate how Android and iOS controls detect compromised-device state when indicators are renamed, hidden, altered, or transformed. Detection engineering should avoid depending only on static artifact names such as a specific su binary path or signature-only matching, and should assess whether mobile security events, MDM posture data, application integrity signals, and device inventory data remain consistent when host artifacts are manipulated.
Likely telemetry
- MDM/EMM device compliance and posture records for Android and iOS
- Mobile threat defense or mobile security alerts related to root, jailbreak, tampering, or integrity status
- Device inventory and application inventory changes
- File or artifact integrity indicators where available from mobile security tooling
- Security tool health, event collection, and reporting status from enrolled mobile devices
Detection direction
- Review DET0710, where available, as the ATT&CK-linked detection strategy for this object.
- Validate whether compromised-device detection relies on single indicators, fixed filenames, or signature-only logic that may be evaded by renamed artifacts or polymorphic transformations.
- Correlate mobile security findings with MDM/EMM posture, device inventory, application inventory, and tool-health signals rather than treating any one source as authoritative.
- Tune investigation playbooks for inconsistent states, such as a device that remains compliant while showing unusual application, integrity, or reporting behavior.
- Account for false positives from legitimate device management changes, OS updates, security-tool version changes, or sanctioned testing of mobile controls.
Mitigation priorities
- Reduce reliance on a single root or jailbreak indicator for access decisions; use layered mobile posture and integrity checks where supported.
- Ensure MDM/EMM and mobile security configurations are current and collect the device posture evidence required for audits and incident response.
- Apply conditional access or equivalent policy controls based on device compliance and integrity signals, especially for sensitive applications and privileged workflows.
- Test mobile security controls against renamed or altered indicators in a controlled, authorized validation program without publishing operational bypass details.
- Maintain incident response procedures for quarantining, revalidating, or removing access from mobile devices with inconsistent or unreliable integrity reporting.
Analyst notes and limits
This object is a mobile ATT&CK sub-technique for Android and iOS. It supersedes revoked technique T1408 and is a sub-technique of T1630, Indicator Removal on Host. The supplied description emphasizes evasion of mobile security checks through knowledge of detection methods, including renamed root artifacts and polymorphic code affecting signature-based detection.
MITRE does not provide official detection text or tactics for this object in the supplied fields. The take is therefore framed around validation of mobile telemetry, control assumptions, and the ATT&CK relationship to DET0710 and T1630. Local platform mix, enrollment model, mobile security tooling, and access-control architecture are required to determine actual exposure or coverage.
Disguise Root/Jailbreak Indicators
An adversary could use knowledge of the techniques used by security software to evade detection.[1][2] For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1630 | Indicator Removal on Host | This object subtechnique of Indicator Removal on Host. |
| Mobile | T1408 | Disguise Root/Jailbreak Indicators | Disguise Root/Jailbreak Indicators revoked by this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | ccd130f3e6ff… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Brodie
Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.
Open source URL -
[2]
Tan
Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.
Open source URL -
[3]
Rastogi
Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.
Open source URL -
[4]
NIST Mobile Threat Catalogue EMM-5Open source URL
-
[5]
mitre-attack T1630.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.