Hooking

Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.

ID: T1617
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
Contributors: Jörg Abraham, EclecticIQ
Version: 1.0
Created: 24 September 2021
Last Modified: 04 October 2021

Procedure Examples

ID Name Description
S0407 Monokle

Monokle can hook itself to appear invisible to the Process Manager.[1]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Application vetting services could look for attempts to invoke the superuser (su) binary or modules related to rooting frameworks.

M1002 Attestation

Device attestation can often detect rooted devices.

M1010 Deploy Compromised Device Detection Method

Mobile security products can often detect rooted devices.

Detection

Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References