Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.
| ID | Name | Description |
|---|---|---|
| S1083 | Chameleon |
Chameleon has removed artifacts of its presence and has the ability to uninstall itself.[1] |
| S1231 | GodFather |
GodFather has requested for the |
| C0054 | Operation Triangulation |
During Operation Triangulation, the threat actors deleted the initial exploitation message and exploit attachment.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation |
Attestation can detect unauthorized modifications to devices. Mobile security software can then use this information and take appropriate mitigation action. |
| M1001 | Security Updates |
Security updates typically provide patches for vulnerabilities that could be abused by malicious applications. |
| M1011 | User Guidance |
Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0651 | Detection of Indicator Removal on Host | AN1733 |
Detects indirect evidence of host-side indicator removal by correlating (1) local artifact creation or compromise-state-relevant activity, (2) later disappearance, alteration, or reporting loss for those artifacts or state indicators, and (3) continued application or device activity under reduced visibility. Because iOS provides weaker direct visibility into some Android-style artifact and jailbreak-indicator manipulation patterns, the defender relies more on app-private artifact lifecycle changes, managed posture shifts, and continued runtime or network activity after expected evidence disappears. |
| AN1734 |
Correlates (1) application activity that creates, modifies, or accesses local artifacts relevant to detection or device compromise state, (2) subsequent deletion, alteration, renaming, relocation, or visibility suppression of those artifacts, including files, application presence, media, or root-compromise indicators, and (3) continued application execution, reduced telemetry quality, or outbound activity after the artifact state changes. The defender observes a causal chain where host-side evidence is first manipulated and expected visibility or reporting degrades while the initiating application remains active. |