1. Home
  2. Techniques
  3. Mobile
  4. Modify System Partition

Modify System Partition

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.

Many Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.

ID: T1400
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: APP-27
Version: 1.2
Created: 25 October 2017
Last Modified: 04 September 2019

Procedure Examples

ID Name Description
S0293 BrainTest

BrainTest uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.[1]
S0655 BusyGasper

BusyGasper can abuse existing root access to copy components into the system partition.[2]
S0550 DoubleAgent

DoubleAgent has used exploits to root devices and install additional malware on the /system partition.[3]
S0420 Dvmap

Dvmap replaces /system/bin/ip with a malicious version. Dvmap can inject code by patching libdmv.so or libandroid_runtime.so, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call /system/bin/ip, which was replaced with the malicious version.[4]
S0408 FlexiSpy

FlexiSpy installs boot hooks into /system/su.d.[5]
S0407 Monokle

Monokle can remount the system partition as read/write to install attacker-specified certificates.[6]

S0316 Pegasus for Android

Pegasus for Android attempts to modify the device's system partition.[7]
S0289 Pegasus for iOS

Pegasus for iOS modifies the system partition to maintain persistence.[8]
S0294 ShiftyBug

ShiftyBug is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.[9]
S0324 SpyDealer

SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.[10]
S0494 Zen

Zen can install itself on the system partition to achieve persistence. Zen can also replace framework.jar, which allows it to intercept and modify the behavior of the standard Android API.[11]

Mitigations

ID Mitigation Description
M1003 Lock Bootloader
M1001 Security Updates
M1004 System Partition Integrity

Detection

Android devices with the Verified Boot capability [12] perform cryptographic checks of the integrity of the system partition.

The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.

Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices.

iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.[13]

References

  1. Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.
  2. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.
  3. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  4. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.
  5. K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.
  6. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  7. Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.
  1. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.
  2. Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.
  3. Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.
  4. Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.
  5. Android. (n.d.). Verified Boot. Retrieved December 21, 2016.
  6. Apple. (2016, May). iOS Security. Retrieved December 21, 2016.