Modify System Partition

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.

Many Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.

ID: T1400

Tactic Type:  Post-Adversary Device Access

Tactic: Defense Evasion, Persistence

Platform:  Android, iOS

MTC ID:  APP-27

Version: 1.1

Mitigations

Mitigation Description
Lock Bootloader
Security Updates
System Partition Integrity

Examples

Name Description
BrainTest

BrainTest uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.[1]

Pegasus for Android

Pegasus for Android attempts to modify the device's system partition.[2]

Pegasus for iOS

Pegasus for iOS modifies the system partition to maintain persistence.[3]

ShiftyBug

ShiftyBug is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.[4]

SpyDealer

SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.[5]

Detection

Android devices with the Verified Boot capability [6] perform cryptographic checks of the integrity of the system partition.

The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.

Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices.

iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.[7]

References