The sub-techniques beta is now live! Read the release blog post for more info.

Modify Cached Executable Code

ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.[1]

ID: T1403
Tactic Type: Post-Adversary Device Access
Tactic: Persistence
Platform: Android
Version: 1.1
Created: 25 October 2017
Last Modified: 09 October 2019

Mitigations

Mitigation Description
Security Updates
Use Recent OS Version

For applications running on Android 10 and higher devices, application developers can indicate that DEX code should always be executed directly from the application package.[2]

Detection

Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.

References