T1645 Compromise Client Software Binary
Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators.
Adversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device.
| Item | Value |
|---|---|
| ID | T1645 |
| Sub-techniques | |
| Tactics | TA0028 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 30 March 2022 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0293 | BrainTest | BrainTest uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.9 |
| S0655 | BusyGasper | BusyGasper can abuse existing root access to copy components into the system partition.7 |
| S0550 | DoubleAgent | DoubleAgent has used exploits to root devices and install additional malware on the system partition.4 |
| S0407 | Monokle | Monokle can remount the system partition as read/write to install attacker-specified certificates.3 |
| S0316 | Pegasus for Android | Pegasus for Android attempts to modify the device’s system partition.2 |
| S0289 | Pegasus for iOS | Pegasus for iOS modifies the system partition to maintain persistence.6 |
| S0294 | ShiftyBug | ShiftyBug is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.8 |
| S0324 | SpyDealer | SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation | Device attestation could detect devices with unauthorized or unsafe modifications. |
| M1003 | Lock Bootloader | A locked bootloader could prevent unauthorized modifications of protected operating system files. |
| M1001 | Security Updates | Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. |
| M1004 | System Partition Integrity | Android includes system partition integrity mechanisms that could detect unauthorized modifications. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | API Calls |
| DS0013 | Sensor Health | Host Status |
References
-
Android. (n.d.). Verified Boot. Retrieved December 21, 2016. ↩
-
Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017. ↩
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩
-
Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018. ↩
-
Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. ↩
-
Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021. ↩
-
Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016. ↩
-
Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016. ↩