Download New Code at Runtime

An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review.[1]

On Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability.[2]

On iOS, techniques also exist for executing dynamic code downloaded after application installation.[3][4]

ID: T1407
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android, iOS
MTC ID: APP-20
Version: 1.2
Created: 25 October 2017
Last Modified: 09 October 2019

Procedure Examples

Name Description
BrainTest

Original samples of BrainTest download their exploit packs for rooting from a remote server after installation.[9]

Bread

Bread has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. Bread downloads billing fraud execution steps at runtime.[15]

Cerberus

Cerberus can update the malicious payload module on command.[17]

Dvmap

Dvmap can download code and binaries from the C2 server to execute on the device as root.[14]

EventBot

EventBot can download new libraries when instructed to.[16]

Exodus

Exodus One, after checking in, sends a POST request and then downloads Exodus Two, the second stage binaries.[13]

Judy

Judy bypasses Google Play's protections by downloading a malicious payload at runtime after installation.[6]

RCSAndroid

RCSAndroid has the ability to dynamically download and execute new code at runtime.[10]

Skygofree

Skygofree can download executable code from the C2 server after the implant starts or after a specific command.[11]

SpyDealer

SpyDealer downloads and executes root exploits from a remote server.[8]

Triada

Triada utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.[12]

ZergHelper

ZergHelper attempts to extend its capabilities via dynamic updating of its code.[7]

Mitigations

Mitigation Description
Application Vetting

Application vetting techniques could (either statically or dynamically) look for indications that the application downloads and executes new code at runtime (e.g., on Android use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability, or on iOS use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques, as the techniques are often used without malicious intent, and because applications may employ other techniques such as to hide their use of these techniques.

Use Recent OS Version

On Android 10 and above devices, applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime.[5]

Detection

Downloading new code at runtime can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.

References