Modify Cached Executable Code
ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.
|M1006||Use Recent OS Version||
For applications running on Android 10 and higher devices, application developers can indicate that DEX code should always be executed directly from the application package.
Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.