Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with Execution Guardrails techniques, detecting malicious code downloaded after installation could be difficult.
On iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. 
|S0539||Red Alert 2.0|
|M1006||Use Recent OS Version||
Applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime. 
|ID||Data Source||Data Component||Detects|
|DS0041||Application Vetting||API Calls||
Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of
Application vetting services may be able to list domains and/or IP addresses that applications communicate with.
|DS0029||Network Traffic||Network Traffic Content||
Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.