Full Report
A simple trick can remove malicious Android spyware apps that require a password to uninstall.
Analysis Summary
# Tool/Technique: Stealthy Password-Protected Android Spyware
## Overview
This entry describes a consumer-grade spyware application for Android that features a persistent anti-removal mechanism. The application leverages specific Android permissions to display a mandatory password prompt when a user attempts to uninstall or deactivate it, requiring the attacker's pre-set password for removal.
## Technical Details
- Type: Malware (Spyware/Stalkerware)
- Platform: Android
- Capabilities: Hides icon, harvests data (texts, photos, location), enforces password protection for uninstallation, abuses system privileges.
- First Seen: Not specified (Described as part of a growing ecosystem).
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1027.004 - Android Application Hardening/Protection (Implied through anti-uninstallation measures)
- TA0003 - Persistence
- T1484 - Increase Permissions (Implied through abusing Device Admin)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Implied by uploading contents to a web dashboard)
## Functionality
### Core Capabilities
- **Data Harvesting:** Continuously uploads contents such as text messages, photos, and real-time location data to a remote web dashboard accessible by the abuser.
- **Stealth:** Hides its application icon from the victim's home screen.
- **Persistence via Device Admin:** Abuses the Android "device admin" feature to gain broad access to the device and data, often making standard removal difficult.
- **Disguise:** May appear in the installed apps list under the nondescript name "System Settings" using a default Android icon.
### Advanced Features
- **Anti-Uninstallation Lock:** Utilizes the "Draw over other apps" (Overlay) permission to forcibly display a password prompt whenever the user attempts to uninstall or deactivate the app via standard Android settings, locking the removal process unless the attacker's password is known.
## Indicators of Compromise
- File Hashes: N/A (Specific app not named)
- File Names: May appear as "System Settings" in the app list.
- Registry Keys: N/A (Mobile platform specific settings used)
- Network Indicators: Uploads harvested data to a private "web dashboard." (Specific domains/IPs not provided)
- Behavioral Indicators:
- Requesting and utilizing the "Draw over other apps" (Overlay) permission.
- Registration as a Device Administrator.
- Displaying a password prompt blocking uninstall actions.
## Associated Threat Actors
- Individuals using the tool for stalking, spousal abuse, or non-consensual monitoring (Often marketed as stalkerware or spouseware).
## Detection Methods
- **Signature-based detection:** Not explicitly detailed, but standard application signature analysis could catch known variants.
- **Behavioral detection:** Monitoring for an unrecognized app with Device Admin privileges, excessive data uploads, or the presence of an overlay permission used to block system functions.
- **Manual Investigation:** Checking the list of installed apps and registered Device Administrators.
## Mitigation Strategies
- **Pre-Removal:** Rebooting the device into **Safe Mode**. Safe Mode prevents third-party apps (like the spyware) from loading, allowing users to bypass the password prompt.
- **Device Hardening:**
- Revoking Device Administrator privileges for unknown apps in settings *while in Safe Mode*.
- Uninstalling the application completely after deactivating Device Admin status.
- Setting a long, unique, alphanumeric passcode for device access to prevent physical compromise in the future.
- Securing associated web accounts (e.g., Google account).
## Related Tools/Techniques
- General Android Stalkerware/Spyware (Often distributed outside of official app stores).
- Tools that abuse the Android Device Administrator API (e.g., many legitimate MDM solutions, but also many malicious monitoring apps).