Modify cached executable code

ART (the Android Runtime) compiles optimized code on the device itself to improve performance. If an adversary can escalate privileges, he or she may be able to use those privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.

Sabanal describes the potential use of this technique in [1].

ID: T1403

Tactic Type:  Post-Adversary Device Access

Tactic: Persistence

Platform:  Android

Version: 1.0

Mitigations

MitigationDescription
Security Updates
Use Recent OS Version

References