System Runtime API Hijacking - T1625.001 (c6e17ca2-08b5-4379-9786-89bd05241831)
Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time.
On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| System Runtime API Hijacking - T1625.001 (c6e17ca2-08b5-4379-9786-89bd05241831) | Attack Pattern | Hijack Execution Flow - T1625 (670a4d75-103b-4b14-8a9e-4652fa795edd) | Attack Pattern | 1 |