T1577 Compromise Application Executable
Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.
There are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file’s signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user’s knowledge.1
Adversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.2
Adversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.2
| Item | Value |
|---|---|
| ID | T1577 |
| Sub-techniques | |
| Tactics | TA0028 |
| Platforms | Android |
| Version | 1.0 |
| Created | 07 May 2020 |
| Last Modified | 24 October 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0440 | Agent Smith | Agent Smith can inject fraudulent ad modules into existing applications on a device.2 |
| S0311 | YiSpecter | YiSpecter has replaced device apps with ones it has downloaded.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1001 | Security Updates | Security updates frequently contain patches to vulnerabilities. |
| M1006 | Use Recent OS Version | Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases. |
References
-
Guarsquare. (2017, November 13). New Android vulnerability allows attackers to modify apps without affecting their signatures. Retrieved May 7, 2020. ↩
-
A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020. ↩↩↩
-
Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. ↩