Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time.
There are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.
| ID | Name | Description |
|---|---|---|
| S0311 | YiSpecter |
YiSpecter has hijacked normal application’s launch routines to display ads.[1] |
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation |
Device attestation could detect unauthorized operating system modifications. |
| M1004 | System Partition Integrity |
Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.[2] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0694 | Detection of Hijack Execution Flow | AN1807 |
Correlates (1) abnormal application or system resource resolution behavior (e.g., library loading, path resolution, or intent redirection), (2) execution of code or resources not aligned with the originating application’s package identity or expected runtime context, and (3) follow-on execution or network activity originating from the hijacked flow. The defender observes a causal chain where execution is redirected from an expected code path to an alternate resource or payload, resulting in execution under a trusted context but with untrusted origin. |