{ "type": "bundle", "id": "bundle--da15c19f-e841-442a-acf3-ed40d68dac2e", "spec_version": "2.0", "objects": [ { "id": "attack-pattern--41086474-e6de-4fac-bb69-640db7fdf3d2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Runtime code download and execution", "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nMany mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). These app stores scan submitted applications for malicious behavior. However, applications can evade these scans by downloading and executing new code at runtime that was not included in the original application package. (Citation: Fruit vs Zombies) (Citation: Android Hax) (Citation: Execute This!) (Citation: HT Fake News App) (Citation: Anywhere Computing kill 2FA) (Citation: Android Security Review 2015)", "external_references": [ { "source_name": "mitre-pre-attack", "external_id": "T1395", "url": "https://attack.mitre.org/techniques/T1395" }, { "description": "Claud Xiao. (2016). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved April 12, 2017.", "source_name": "Fruit vs Zombies" }, { "description": "Jon Oberheide. (2010). Android Hax. Retrieved April 12, 2017.", "source_name": "Android Hax" }, { "description": "Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna. (2014). Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. Retrieved April 12, 2017.", "source_name": "Execute This!" }, { "description": "Wish Wu. (2016, July 15). Fake News App in Hacking Team Dump Designed to Bypass Google Play. Retrieved April 12, 2017.", "source_name": "HT Fake News App" }, { "description": "Radhesh Krishnan Konoth, Victor van der Veen and Herbert Bos. (2016). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved April 12, 2017.", "source_name": "Anywhere Computing kill 2FA" }, { "description": "Google. (2016, April). Android Security 2015 Year In Review. Retrieved April 12, 2017.", "source_name": "Android Security Review 2015" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "kill_chain_phases": [ { "kill_chain_name": "mitre-pre-attack", "phase_name": "launch" } ], "modified": "2020-03-30T14:24:50.384Z", "created": "2017-12-14T16:46:06.044Z", "x_mitre_is_subtechnique": false, "x_mitre_old_attack_id": "PRE-T1172", "x_mitre_version": "1.0", "x_mitre_difficulty_for_adversary_explanation": "Runtime code execution techniques and examples of their use are widely documented on both Apple iOS and Android.", "x_mitre_difficulty_for_adversary": "Yes", "x_mitre_detectable_by_common_defenses_explanation": "Third-party mobile application security analysis services exist that scan for use of these techniques in iOS and Android applications. Additionally, Google specifically calls out the ability to \"identify attacks that require connection to a server and dynamic downloading of code\" in its Android Security 2015 Year in Review report. However, many applications use these techniques as part of their legitimate operation, increasing the difficulty of detecting or preventing malicious use.", "x_mitre_detectable_by_common_defenses": "Partial", "x_mitre_deprecated": true } ] }