Mobile Defense Evasion consists of techniques adversaries use to avoid detection on mobile devices. These include hiding artifacts, obfuscating code, disabling security features, masquerading as legitimate applications, and using virtualization or sandbox detection to modify behavior when under analysis.
Tactic Overview
Tactic ID: TA0030 — Matrix: Mobile — Techniques: 17
The Defense Evasion tactic represents a phase in the adversary lifecycle where the adversary is trying to avoid being detected. This tactic is part of the MITRE ATT&CK Mobile matrix and encompasses 17 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (17)
The following techniques are categorized under the Defense Evasion tactic in the MITRE ATT&CK Mobile matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1661 | Application Versioning | Adversaries submit benign app versions to stores then update with malicious code after approval, or target sideloaded apps. | T1661 |
T1407 | Download New Code at Runtime | Adversaries download and execute new code at runtime to evade app store vetting and analysis. | T1407 |
T1627 | Execution Guardrails | Adversaries implement checks to only execute malicious functionality on targeted devices or in specific regions. | T1627 |
T1541 | Foreground Persistence | Adversaries maintain foreground app persistence by mimicking legitimate apps to avoid being killed by the OS. | T1541 |
T1628 | Hide Artifacts (3 sub-techniques) | Adversaries hide malicious files, processes, and artifacts on mobile devices to evade detection. | T1628 |
T1617 | Hooking | Adversaries intercept mobile API calls and function hooks to modify app behavior and capture data. | T1617 |
T1629 | Impair Defenses (3 sub-techniques) | Adversaries disable mobile security products, permissions prompts, and device protections to evade detection. | T1629 |
T1630 | Indicator Removal on Host (3 sub-techniques) | Adversaries remove indicators of compromise from mobile devices including app logs, network traces, and file artifacts. | T1630 |
T1516 | Input Injection | Adversaries inject input events into mobile devices to interact with applications without user awareness. | T1516 |
T1655 | Masquerading (2 sub-techniques) | Adversaries disguise malicious mobile apps as legitimate applications to trick users and evade detection. | T1655 |
T1575 | Native API | Adversaries interact with mobile OS native APIs to execute behaviors that may evade detection by mobile security products. | T1575 |
T1406 | Obfuscated Files or Information (2 sub-techniques) | Adversaries obfuscate mobile malware code using packing, encryption, or code transformation techniques. | T1406 |
T1631 | Process Injection (1 sub-techniques) | Adversaries inject code into running mobile app processes using ptrace or similar mechanisms. | T1631 |
T1604 | Proxy Through Victim | Adversaries route traffic through compromised mobile devices to obscure the origin of malicious activity. | T1604 |
T1632 | Subvert Trust Controls (2 sub-techniques) | Adversaries subvert mobile trust mechanisms including code signing and certificate validation. | T1632 |
T1670 | Virtualization Solution | Adversaries use virtualization on mobile devices to run malicious code in isolated environments. | T1670 |
T1633 | Virtualization/Sandbox Evasion (2 sub-techniques) | Adversaries detect mobile sandboxes and analysis environments to modify behavior and evade detection. | T1633 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Mobile threat defense
- Application vetting
- Regular integrity verification
- Behavioral analysis
- OS security updates
Detection Strategies
Effective detection of Defense Evasion techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Defense Evasion tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Defense Evasion Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026