Download New Code at Runtime

An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review.[1]

On Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability.[2]

On iOS, techniques also exist for executing dynamic code downloaded after application installation.[3][4]

ID: T1407

Tactic Type:  Post-Adversary Device Access

Tactic: Defense Evasion

Platform:  Android, iOS

MTC ID:  APP-20

Version: 1.1

Mitigations

Mitigation Description
Application Vetting Application vetting techniques could (either statically or dynamically) look for indications that the application downloads and executes new code at runtime (e.g., on Android use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability, or on iOS use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques, as the techniques are often used without malicious intent, and because applications may employ other techniques such as to hide their use of these techniques.

Examples

Name Description
BrainTest

Original samples of BrainTest download their exploit packs for rooting from a remote server after installation.[5]

Judy

Judy bypasses Google Play's protections by downloading a malicious payload at runtime after installation.[6]

Pallas

Pallas has the ability to download and install attacker-specified applications.[7]

RCSAndroid

RCSAndroid has the ability to dynamically download and execute new code at runtime.[8]

RedDrop

RedDrop downloads additional components (APKs, JAR files) from different C&C servers and stores them dynamically into the device’s memory, allowing the adversary to execute additional malicious APKs without having to embed them straight into the initial sample.[9]

Skygofree

Skygofree can download executable code from the C2 server after the implant starts or after a specific command.[10]

SpyDealer

SpyDealer downloads and executes root exploits from a remote server.[11]

ZergHelper

ZergHelper attempts to extend its capabilities via dynamic updating of its code.[12]

References