Mobile Threat Catalogue

Loading Malicious Code at Runtime

Contribute

Threat Category: Malicious or privacy-invasive application

ID: APP-20

Threat Description: Mobile apps may evade app vetting by downloading and executing malicious app code after installation. On Android, external code can be loaded using the OS-provided API. On iOS, the ability to modify app code is a consequence of the Objective C runtime environment that apps execute within, which permits method definitions to be modified at runtime. As the malicious code would not be present when the app was submitted for review, it may evade detection as a malicious application.

Threat Origin

Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications 1

Jekyll on iOS: When Benign Apps Become Evil 2

Exploit Examples

Android Hax 3

Hot or Not? The Benefits and Risks of iOS Remote Hot Patching 4

Method Swizzling 5

CVE Examples

Not Applicable

Possible Countermeasures

Enterprise

Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.

Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.

Use application threat intelligence data about potential abuse of dynamic code execution associated with apps installed on COPE or BYOD devices

Mobile Device User

Use Android Verify Apps feature to identify potentially harmful apps.

Consider the use of devices that support Android 10 or higher, in which applications cannot execute code within their own system binaries and libraries.

References

  1. S. Poeplau et al., “Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications”, in Proceedings of the 2014 Network and Distributed System Security Symposium, 2014; http://www.internetsociety.org/doc/execute-analyzing-unsafe-and-malicious-dynamic-code-loading-android-applications [accessed 8/31/16] 

  2. T. Wang et al., “Jekyll on iOS: When Benign Apps Become Evil”, in Proceedings of the 22nd USENIX Security Symposium, 2013; www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_wang_2.pdf [accessed 8/25/2016] 

  3. J. Oberheide, Android Hax, presented at Summercon, 10 June 2010; https://jon.oberheide.org/files/summercon10-androidhax-jonoberheide.pdf [accessed 8/25/2016] 

  4. J. Xie et al., “Hot or Not? The Benefits and Risks of iOS Remote Hot Patching”, blog, 27 Jan. 2016; https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html [accessed 8/31/16] 

  5. M. Thompson, “Method Swizzling”, blog, 17 Feb. 2014; http://nshipster.com/method-swizzling/ [accessed 8/31/16]