1. Home
  2. Techniques
  3. Mobile
  4. Native API

Native API

Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.

The NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.[1]

Adversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.[2]

ID: T1575
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Defense Evasion, Execution
Platforms: Android
Version: 2.0
Created: 28 April 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0540 Asacub

Asacub has implemented functions in native code.[3]
S0432 Bread

Bread has used native code in an attempt to disguise malicious functionality.[4]
S0529 CarbonSteal

CarbonSteal has seen native libraries used in some reported samples [5]
S1083 Chameleon

Chameleon has used the KeyguardManager API to evaluate the device’s locking mechanism and the AlarmManager API to schedule tasks.[6]

S0555 CHEMISTGAMES

CHEMISTGAMES has utilized native code to decrypt its malicious payload.[7]
S9005 DocSwap

DocSwap has decrypted the encrypted APK file security.dat using the decryptFile function in the native-lib library.[8]

S1231 GodFather

GodFather has hooked onto the getEnabledAccessibilityServiceList API to return an empty list of active services, which hides GodFather and other active services.[9]

S0544 HenBox

HenBox has contained native libraries.[10]
S1185 LightSpy

LightSpy's main executable and modules use native libraries to execute targeted functionality.[11][12][13][14]

C0054 Operation Triangulation

During Operation Triangulation, the threat actors use the Audio Queue API to record audio.[15][16]

S0545 TERRACOTTA

TERRACOTTA has included native modules.[17]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0717 Detection of Native API AN1847

The defender correlates application loading or invoking native libraries through JNI or NDK-backed execution paths with subsequent lower-level activity such as native thread creation, sensor access, file operations, or outbound network communication that is inconsistent with the app's declared role or recent user interaction. The analytic prioritizes defender-observable control-plane effects: native library load or JNI bridge use, transition into native execution context, and immediate post-load behavior occurring from background state, locked-device state, or non-baselined app categories.

References

  1. Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020.
  2. M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020.
  3. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
  4. A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.
  5. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  6. ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.
  7. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  8. EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.
  9. Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.
  1. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
  2. ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.
  3. Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.
  4. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.
  5. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.
  6. Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.
  7. Larin, B. (2023, December 27). Operation Triangulation: The last (hardware) mystery. Retrieved April 18, 2024.
  8. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.