Skip to content

DET0618 Detection of Download New Code at Runtime

Item Value
ID DET0618
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1407 (Download New Code at Runtime)

Analytics

Android

AN1677

Application vetting services may be able to list domains and/or IP addresses that applications communicate with. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability; on iOS, use of JSPatch or similar capabilities).

Log Sources
Data Component Name Channel
Network Communication (DC0113) Application Vetting None
Network Traffic Content (DC0085) Network Traffic None
API Calls (DC0112) Application Vetting None
Mutable Elements
Field Description

iOS

AN1678

Application vetting services may be able to list domains and/or IP addresses that applications communicate with. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability; on iOS, use of JSPatch or similar capabilities).

Log Sources
Data Component Name Channel
Network Communication (DC0113) Application Vetting None
Network Traffic Content (DC0085) Network Traffic None
API Calls (DC0112) Application Vetting None
Mutable Elements
Field Description