| ID | Name |
|---|---|
| T1631.001 | Ptrace System Calls |
Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Both Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.
| ID | Name | Description |
|---|---|---|
| S1208 | FjordPhantom |
FjordPhantom has injected malicious code and a hooking framework through a virtualization solution, i.e. Virtualization Solution, into the process of the hosted application.[1] |
| S1185 | LightSpy |
LightSpy injects libcynject.dylib into the SpringBoard process to enable audio/video recording.[2] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | API Calls |
Application vetting services could look for misuse of dynamic libraries. |