Download New Code at Runtime

Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with Execution Guardrails techniques, detecting malicious code downloaded after installation could be difficult.

On Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s JavascriptInterface capability.

On iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. [1]

ID: T1407
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android, iOS
MTC ID: APP-20
Version: 1.5
Created: 25 October 2017
Last Modified: 08 August 2023

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu can download and install additional malware after initial infection.[2]

S0422 Anubis

Anubis can download attacker-specified APK files.[3]

S1079 BOULDSPY

BOULDSPY can download and run code obtained from the C2.[4]

S0293 BrainTest

Original samples of BrainTest download their exploit packs for rooting from a remote server after installation.[5]

S1094 BRATA

BRATA has used an initial dropper to download an additional malicious application, and downloads its configuration file from the C2 server.[6][7]

S0432 Bread

Bread has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. Bread downloads billing fraud execution steps at runtime.[8]

S0655 BusyGasper

BusyGasper can download a payload or updates from either its C2 server or email attachments in the adversary’s inbox.[9]

S0529 CarbonSteal

CarbonSteal can dynamically load additional functionality.[10]

S0480 Cerberus

Cerberus can update the malicious payload module on command.[11]

S1083 Chameleon

Chameleon can download new code at runtime.[12]

S0555 CHEMISTGAMES

CHEMISTGAMES can download new modules while running.[13]

S0505 Desert Scorpion

Desert Scorpion has been distributed in multiple stages.[14]

S0550 DoubleAgent

DoubleAgent has downloaded additional code to root devices, such as TowelRoot.[10]

S0420 Dvmap

Dvmap can download code and binaries from the C2 server to execute on the device as root.[15]

S0507 eSurv

eSurv’s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is Exodus.[16]

S0478 EventBot

EventBot can download new libraries when instructed to.[17]

S0405 Exodus

Exodus One, after checking in, sends a POST request and then downloads Exodus Two, the second stage binaries.[18]

S0577 FrozenCell

FrozenCell has downloaded and installed additional applications.[19]

S0535 Golden Cup

Golden Cup has been distributed in two stages.[20]

S0551 GoldenEagle

GoldenEagle can download new code to update itself.[10]

S0536 GPlayed

GPlayed has the capability to remotely load plugins and download and compile new .NET code.[21]

S0544 HenBox

HenBox can load additional Dalvik code while running.[22]

S0325 Judy

Judy bypasses Google Play's protections by downloading a malicious payload at runtime after installation.[23]

S0485 Mandrake

Mandrake can download its second (Loader) and third (Core) stages after the dropper is installed.[24]

S0295 RCSAndroid

RCSAndroid has the ability to dynamically download and execute new code at runtime.[25]

S0539 Red Alert 2.0

Red Alert 2.0 can download additional overlay templates.[26]

S1055 SharkBot

SharkBot can use the Android "Direct Reply" feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.[27]

S0549 SilkBean

SilkBean can install new applications which are obtained from the C2 server.[10]

S0327 Skygofree

Skygofree can download executable code from the C2 server after the implant starts or after a specific command.[28]

S0324 SpyDealer

SpyDealer downloads and executes root exploits from a remote server.[29]

S0545 TERRACOTTA

TERRACOTTA can download additional modules at runtime via JavaScript eval statements.[30]

S0424 Triada

Triada utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.[31]

S0506 ViperRAT

ViperRAT has been installed in two stages and can secretly install new applications.[32]

G0112 Windshift

Windshift has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.[33]

S0489 WolfRAT

WolfRAT can update the running malware.[34]

S0311 YiSpecter

YiSpecter has used private APIs to download and install other pieces of itself, as well as other malicious apps. [35]

S0494 Zen

Zen can dynamically load executable code from remote sources.[36]

S0287 ZergHelper

ZergHelper attempts to extend its capabilities via dynamic updating of its code.[37]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime. [38]

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability; on iOS, use of JSPatch or similar capabilities).

Network Communication

Application vetting services may be able to list domains and/or IP addresses that applications communicate with.

DS0029 Network Traffic Network Traffic Content

Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.

References

  1. Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.
  2. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.
  3. K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.
  4. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
  5. Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.
  6. Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.
  7. Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.
  8. A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.
  9. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.
  10. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  11. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
  12. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  13. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  14. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
  15. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.
  16. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.
  17. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  18. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.
  19. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.
  1. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.
  2. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  3. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
  4. CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.
  5. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  6. Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.
  7. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.
  8. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  9. Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.
  10. Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.
  11. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.
  12. Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.
  13. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.
  14. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  15. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.
  16. Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.
  17. Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.
  18. Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.
  19. Android Developers. (n.d.). Behavior changes: all apps - Removed execute permission for app home directory. Retrieved September 20, 2019.