Modify Cached Executable Code

ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.[1]

ID: T1403
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Persistence
Platforms: Android
Version: 1.1
Created: 25 October 2017
Last Modified: 09 October 2019
Provided by LAYER 8


ID Mitigation Description
M1001 Security Updates
M1006 Use Recent OS Version

For applications running on Android 10 and higher devices, application developers can indicate that DEX code should always be executed directly from the application package.[2]


Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.