Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time.
On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.
| ID | Name | Description |
|---|---|---|
| S0420 | Dvmap |
Dvmap replaces |
| S0408 | FlexiSpy | |
| S0494 | Zen |
Zen can install itself on the system partition to achieve persistence. Zen can also replace |
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation |
Device attestation could detect unauthorized operating system modifications. |
| M1004 | System Partition Integrity |
Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.[4] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0689 | Detection of System Runtime API Hijacking | AN1800 |
Correlates (1) modification or replacement of system runtime libraries or API resolution paths, (2) repeated invocation of hijacked APIs across multiple applications, and (3) inconsistent or suppressed outputs from those APIs compared to expected OS-enforced behavior. The defender observes a causal chain where system-level API behavior is altered, resulting in multiple applications exhibiting consistent anomalies in sensor access, permission checks, or system state reporting. |