1. Home
  2. Techniques
  3. Mobile
  4. Indicator Removal on Host
  5. Uninstall Malicious Application

Indicator Removal on Host: Uninstall Malicious Application

ID Name
T1630.001 Uninstall Malicious Application
T1630.002 File Deletion
T1630.003 Disguise Root/Jailbreak Indicators

Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:

  • Abusing device owner permissions to perform silent uninstallation using device owner API calls.
  • Abusing root permissions to delete files from the filesystem.
  • Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.
ID: T1630.001
Sub-technique of:  T1630
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
MTC ID: APP-43
Version: 1.1
Created: 30 March 2022
Last Modified: 12 May 2026

Procedure Examples

ID Name Description
S1094 BRATA

BRATA can uninstall itself and remove traces of infection.[1][2]
S0480 Cerberus

Cerberus can uninstall itself from a device on command.[3]
S9004 Crocodilus

Crocodilus has the ability to uninstall itself from the device.[4]

S1092 Escobar

Escobar can uninstall itself and other applications.[5]
S1062 S.O.V.A.

S.O.V.A. can uninstall itself.[6]
S1055 SharkBot

SharkBot has C2 commands that can uninstall the app from the infected device.[7]
S0427 TrickMo

TrickMo can uninstall itself from a device on command by abusing the accessibility service.[8]

Mitigations

ID Mitigation Description
M1002 Attestation

Attestation can detect rooted devices. Mobile security software can then use this information and take appropriate mitigation action. Attestation can detect rooted devices.
M1001 Security Updates

Security updates typically provide patches for vulnerabilities that enable device rooting.
M1011 User Guidance

Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0690 Detection of Uninstall Malicious Application AN1801

Correlates (1) a malicious application gaining or using a removal-capable control path, such as device owner or delegated app-management authority, accessibility service control over uninstall UI, or rooted filesystem access, (2) initiation of uninstall or package-removal behavior, and (3) disappearance of the application from installed-state inventory or app runtime immediately afterward, often with a short-lived final burst of local cleanup or outbound communication. The defender observes a causal chain where the application first establishes the ability to remove itself, then triggers uninstall or deletion, and then vanishes from expected app presence while device activity continues.

References

  1. Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.
  2. Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.
  3. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
  4. ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.
  1. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.
  2. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.
  3. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  4. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.