Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with Execution Guardrails techniques, detecting malicious code downloaded after installation could be difficult.
On iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. 
|S0539||Red Alert 2.0|
|M1006||Use Recent OS Version||
Applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime. 
Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of
System.load, or the WebView