Compromise Client Software Binary

Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators.

Adversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device.

ID: T1645
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Persistence
Platforms: Android, iOS
MTC ID: APP-27
Version: 1.1
Created: 30 March 2022
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S0293 BrainTest

BrainTest uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.[1]

S0655 BusyGasper

BusyGasper can abuse existing root access to copy components into the system partition.[2]

S0550 DoubleAgent

DoubleAgent has used exploits to root devices and install additional malware on the system partition.[3]

S0407 Monokle

Monokle can remount the system partition as read/write to install attacker-specified certificates.[4]

S0316 Pegasus for Android

Pegasus for Android attempts to modify the device's system partition.[5]

S0289 Pegasus for iOS

Pegasus for iOS modifies the system partition to maintain persistence.[6]

S0294 ShiftyBug

ShiftyBug is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.[7]

S0324 SpyDealer

SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.[8]

Mitigations

ID Mitigation Description
M1002 Attestation

Device attestation could detect devices with unauthorized or unsafe modifications.

M1003 Lock Bootloader

A locked bootloader could prevent unauthorized modifications of protected operating system files.

M1001 Security Updates

Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files.

M1004 System Partition Integrity

Android includes system partition integrity mechanisms that could detect unauthorized modifications.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services could detect applications trying to modify files in protected parts of the operating system.

DS0013 Sensor Health Host Status

Verified Boot can detect unauthorized modifications to the system partition.[9] Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.

References