Skip to content

T1631 Process Injection

Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Both Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.

Item Value
ID T1631
Sub-techniques T1631.001
Tactics TA0030, TA0029
Platforms Android, iOS
Version 1.1
Created 30 March 2022
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1208 FjordPhantom FjordPhantom has injected malicious code and a hooking framework through a virtualization solution, i.e. Virtualization Solution, into the process of the hosted application.1
S1185 LightSpy LightSpy injects libcynject.dylib into the SpringBoard process to enable audio/video recording.2

References

  1. Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025. 

  2. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.