T1625.001 System Runtime API Hijacking
Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time.
On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.
| Item | Value |
|---|---|
| ID | T1625.001 |
| Sub-techniques | T1625.001 |
| Tactics | TA0028 |
| Platforms | Android |
| Version | 1.1 |
| Created | 30 March 2022 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0420 | Dvmap | Dvmap replaces /system/bin/ip with a malicious version. Dvmap can inject code by patching libdmv.so or libandroid_runtime.so, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call /system/bin/ip, which was replaced with the malicious version.4 |
| S0408 | FlexiSpy | FlexiSpy installs boot hooks into /system/su.d.2 |
| S0494 | Zen | Zen can install itself on the system partition to achieve persistence. Zen can also replace framework.jar, which allows it to intercept and modify the behavior of the standard Android API.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation | Device attestation could detect unauthorized operating system modifications. |
| M1004 | System Partition Integrity | Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.1 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0013 | Sensor Health | Host Status |
References
-
Android. (n.d.). Verified Boot. Retrieved December 21, 2016. ↩
-
K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019. ↩
-
Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020. ↩
-
R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019. ↩