T1540 Code Injection
Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.
With root access, ptrace can be used to target specific applications and load shared libraries into its process memory.12 By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application’s process.3
| Item | Value |
|---|---|
| ID | T1540 |
| Sub-techniques | |
| Tactics | TA0028, TA0029, TA0030 |
| Platforms | Android, iOS |
| Version | 1.0 |
| Created | 30 October 2019 |
| Last Modified | 29 March 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0463 | INSOMNIA | INSOMNIA grants itself permissions by injecting its hash into the kernel’s trust cache.5 |
| S0424 | Triada | Triada injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.34 |
| S0494 | Zen | Zen can inject code into the Setup Wizard at runtime to extract CAPTCHA images. Zen can inject code into the libc of running processes to infect them with the malware.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1005 | Application Vetting | Static or dynamic code analysis to look for misuse of dynamic libraries. Increased focus on applications utilizing DexClassLoader. |
References
-
Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019. ↩
-
Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019. ↩
-
Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019. ↩↩
-
Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019. ↩
-
I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020. ↩
-
Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020. ↩