Process Injection

Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Both Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.

ID: T1631
Sub-techniques:  T1631.001
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.1
Created: 30 March 2022
Last Modified: 20 March 2023

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services could look for misuse of dynamic libraries.