T1617 Hooking

Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.

Item	Value
ID	T1617
Sub-techniques
Tactics	TA0030
Platforms	Android
Version	1.0
Created	24 September 2021
Last Modified	24 October 2022

Procedure Examples

ID	Name	Description
S0407	Monokle	Monokle can hook itself to appear invisible to the Process Manager.¹

Mitigations

ID	Mitigation	Description
M1002	Attestation	Device attestation can often detect rooted devices.
M1010	Deploy Compromised Device Detection Method	Mobile security products can often detect rooted devices.

References

Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩