Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with Execution Guardrails techniques, detecting malicious code downloaded after installation could be difficult.
On Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s JavascriptInterface capability.
On iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. [1]
| ID | Name | Description |
|---|---|---|
| S1061 | AbstractEmu |
AbstractEmu can download and install additional malware after initial infection.[2] |
| S0422 | Anubis | |
| S1079 | BOULDSPY | |
| S0293 | BrainTest |
Original samples of BrainTest download their exploit packs for rooting from a remote server after installation.[5] |
| S1094 | BRATA |
BRATA has used an initial dropper to download an additional malicious application, and downloads its configuration file from the C2 server.[6][7] |
| S0432 | Bread |
Bread has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. Bread downloads billing fraud execution steps at runtime.[8] |
| S0655 | BusyGasper |
BusyGasper can download a payload or updates from either its C2 server or email attachments in the adversary’s inbox.[9] |
| S0529 | CarbonSteal |
CarbonSteal can dynamically load additional functionality.[10] |
| S0480 | Cerberus |
Cerberus can update the malicious payload module on command.[11] |
| S1083 | Chameleon | |
| S0555 | CHEMISTGAMES |
CHEMISTGAMES can download new modules while running.[13] |
| S0505 | Desert Scorpion |
Desert Scorpion has been distributed in multiple stages.[14] |
| S0550 | DoubleAgent |
DoubleAgent has downloaded additional code to root devices, such as TowelRoot.[10] |
| S0420 | Dvmap |
Dvmap can download code and binaries from the C2 server to execute on the device as root.[15] |
| S0507 | eSurv |
eSurv’s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is Exodus.[16] |
| S0478 | EventBot | |
| S0405 | Exodus |
Exodus One, after checking in, sends a POST request and then downloads Exodus Two, the second stage binaries.[18] |
| S0577 | FrozenCell |
FrozenCell has downloaded and installed additional applications.[19] |
| S0535 | Golden Cup |
Golden Cup has been distributed in two stages.[20] |
| S0551 | GoldenEagle |
GoldenEagle can download new code to update itself.[10] |
| S0536 | GPlayed |
GPlayed has the capability to remotely load plugins and download and compile new .NET code.[21] |
| S0544 | HenBox | |
| S0325 | Judy |
Judy bypasses Google Play's protections by downloading a malicious payload at runtime after installation.[23] |
| S0485 | Mandrake |
Mandrake can download its second (Loader) and third (Core) stages after the dropper is installed.[24] |
| S0295 | RCSAndroid |
RCSAndroid has the ability to dynamically download and execute new code at runtime.[25] |
| S0539 | Red Alert 2.0 |
Red Alert 2.0 can download additional overlay templates.[26] |
| S1055 | SharkBot |
SharkBot can use the Android "Direct Reply" feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.[27] |
| S0549 | SilkBean |
SilkBean can install new applications which are obtained from the C2 server.[10] |
| S0327 | Skygofree |
Skygofree can download executable code from the C2 server after the implant starts or after a specific command.[28] |
| S0324 | SpyDealer |
SpyDealer downloads and executes root exploits from a remote server.[29] |
| S0545 | TERRACOTTA |
TERRACOTTA can download additional modules at runtime via JavaScript |
| S0424 | Triada |
Triada utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.[31] |
| S0506 | ViperRAT |
ViperRAT has been installed in two stages and can secretly install new applications.[32] |
| G0112 | Windshift |
Windshift has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.[33] |
| S0489 | WolfRAT |
WolfRAT can update the running malware. |