Native Code

Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.

The NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.[1]

Adversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.[2]

ID: T1575
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Defense Evasion, Execution
Platforms: Android
Version: 1.0
Created: 28 April 2020
Last Modified: 28 April 2020

Procedure Examples

Name Description
Bread

Bread has used native code in an attempt to disguise malicious functionality.[3]

Mitigations

Mitigation Description
Application Vetting

Application vetting services could look for the native keyword in function definitions. However, this is widely used for legitimate purposes, so this may not be feasible. Application vetting services may also be able to detect behaviors carried out through the Native Development Kit (NDK) via dynamic analysis.

Detection

This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.

References