ATT&CK v19 has been released! Check out the blog post for more information.

API Calls

API calls utilized by an application that could indicate malicious activity

ID: DC0112

Domains: Mobile

Version: 2.1

Created: 13 March 2023

Last Modified: 16 January 2026

Log Sources

Name	Channel
android:logcat	SELinux AVC related to execute_no_trans/execmem after decode/unpack activity by the same app UID
Application Vetting	None
iOS:unifiedlog	Repeated sandbox or policy violations by a single process or app bundle (for example, deny rules) followed by successful access to resources or APIs that normally require higher privileges
iOS:unifiedlog	mmap with PROT_EXEC and PROT_WRITE by sandboxed app

Detection Strategy

ID	Name	Technique Detected
DET0652	Detection of Application Versioning	T1661
DET0712	Detection of Compromise Client Software Binary	T1645
DET0633	Detection of Credentials from Password Store	T1634
DET0671	Detection of Data Destruction	T1662
DET0660	Detection of Data Manipulation	T1641
DET0665	Detection of Exploitation for Privilege Escalation	T1404
DET0664	Detection of Keychain	T1634.001
DET0715	Detection of Masquerading	T1655
DET0609	Detection of Match Legitimate Name or Location	T1655.001
DET0720	Detection of Obfuscated Files or Information	T1406
DET0632	Detection of Process Injection	T1631
DET0622	Detection of Ptrace System Calls	T1631.001
DET0656	Detection of Steal Application Access Token	T1635
DET0625	Detection of System Checks	T1633.001
DET0683	Detection of Transmitted Data Manipulation	T1641.001
DET0626	Detection of URI Hijacking	T1635.001
DET0616	Detection of Virtualization/Sandbox Evasion	T1633