T1575 Native API
Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.
The NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.1
Adversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.2
| Item | Value |
|---|---|
| ID | T1575 |
| Sub-techniques | |
| Tactics | TA0030, TA0041 |
| Platforms | Android |
| Version | 2.0 |
| Created | 28 April 2020 |
| Last Modified | 08 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0540 | Asacub | Asacub has implemented functions in native code.8 |
| S0432 | Bread | Bread has used native code in an attempt to disguise malicious functionality.7 |
| S0529 | CarbonSteal | CarbonSteal has seen native libraries used in some reported samples 5 |
| S0555 | CHEMISTGAMES | CHEMISTGAMES has utilized native code to decrypt its malicious payload.4 |
| S0544 | HenBox | HenBox has contained native libraries.6 |
| S0545 | TERRACOTTA | TERRACOTTA has included native modules.3 |
References
-
Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020. ↩
-
M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020. ↩
-
Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020. ↩
-
B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. ↩
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩
-
A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. ↩
-
A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020. ↩
-
T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. ↩