Skip to content

T1645 Compromise Client Software Binary

Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators.

Adversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device.

Item Value
ID T1645
Tactics TA0028
Platforms Android, iOS
Version 1.1
Created 30 March 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0293 BrainTest BrainTest uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.9
S0655 BusyGasper BusyGasper can abuse existing root access to copy components into the system partition.7
S0550 DoubleAgent DoubleAgent has used exploits to root devices and install additional malware on the system partition.4
S0407 Monokle Monokle can remount the system partition as read/write to install attacker-specified certificates.3
S0316 Pegasus for Android Pegasus for Android attempts to modify the device’s system partition.2
S0289 Pegasus for iOS Pegasus for iOS modifies the system partition to maintain persistence.6
S0294 ShiftyBug ShiftyBug is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.8
S0324 SpyDealer SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.5


ID Mitigation Description
M1002 Attestation Device attestation could detect devices with unauthorized or unsafe modifications.
M1003 Lock Bootloader A locked bootloader could prevent unauthorized modifications of protected operating system files.
M1001 Security Updates Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files.
M1004 System Partition Integrity Android includes system partition integrity mechanisms that could detect unauthorized modifications.


ID Data Source Data Component
DS0041 Application Vetting API Calls
DS0013 Sensor Health Host Status