Skip to content

T1575 Native API

Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.

The NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.1

Adversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.2

Item Value
ID T1575
Tactics TA0030, TA0041
Platforms Android
Version 2.0
Created 28 April 2020
Last Modified 08 April 2022

Procedure Examples

ID Name Description
S0540 Asacub Asacub has implemented functions in native code.8
S0432 Bread Bread has used native code in an attempt to disguise malicious functionality.7
S0529 CarbonSteal CarbonSteal has seen native libraries used in some reported samples 5
S0555 CHEMISTGAMES CHEMISTGAMES has utilized native code to decrypt its malicious payload.4
S0544 HenBox HenBox has contained native libraries.6
S0545 TERRACOTTA TERRACOTTA has included native modules.3