DET0618: Detection of Download New Code at Runtime
DET0618 focuses on detecting mobile apps that download and run code after installation. For leaders, the business issue is assurance: an app can appear acc...
Analyst context for executives and security teams
DET0618 focuses on detecting mobile apps that download and run code after installation. For leaders, the business issue is assurance: an app can appear acceptable during static review or app-store scanning, then change behavior later by retrieving new executable logic. This matters most where mobile apps support customer access, employee productivity, regulated workflows, or privileged access into enterprise services.
Executive priority
Prioritize this as a mobile application governance and monitoring question, not just a malware-detection question. Leaders should ask whether mobile risk programs can produce evidence that approved Android and iOS apps are not introducing unreviewed runtime code, and whether incident response has a decision path for apps that change behavior after deployment. Because the ATT&CK object provides no official detection text, organizations should treat coverage claims cautiously and require environment-specific validation.
Technical view
This detection strategy is associated with ATT&CK mobile technique T1407, Download New Code at Runtime, for Android and iOS. SOC, mobile security, and IR teams should validate whether they can observe mobile applications retrieving code-like content after installation and subsequently executing or loading it. Detection engineering should focus on dynamic and behavioral evidence rather than relying only on pre-publication or static application review, since the related technique specifically notes evasion of static analysis and app-store pre-publication scans.
Likely telemetry
- Mobile application network activity showing post-installation downloads from app-controlled or remote locations
- Mobile runtime or behavioral analysis results indicating dynamic code loading or execution
- Mobile device management or mobile threat defense alerts related to suspicious application behavior, where available
- Application package review evidence to compare original installed code against later downloaded components
- Incident response artifacts from affected Android or iOS devices, subject to local collection capability
Detection direction
- Validate whether monitoring covers Android and iOS mobile application behavior after installation, not only initial app vetting.
- Tune detections around the combination of post-installation download activity and evidence of runtime loading or execution, rather than network download volume alone.
- Account for legitimate application update, plugin, scripting, or content-delivery patterns to reduce false positives.
- Use dynamic or behavioral analysis where feasible, because the related technique highlights evasion of static analysis and pre-publication app-store scans.
- Document blind spots where unmanaged devices, privacy limits, encrypted traffic, or lack of mobile runtime telemetry prevent confirmation.
Mitigation priorities
- Establish mobile application governance requiring review of apps that can introduce executable logic after installation.
- Prioritize monitoring for enterprise-approved or high-risk mobile apps on Android and iOS where business access or sensitive data is involved.
- Require incident response playbooks for suspected runtime code download behavior, including containment, app removal decisions, and evidence preservation where permitted.
- Use static review as one control, but do not treat it as sufficient coverage for this behavior.
- Maintain audit-ready evidence showing which mobile telemetry sources and behavioral analysis capabilities are in place and what they cannot observe.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description, no official detection guidance, no listed platforms on the strategy itself, and no tactics. Practical guidance here is derived from its relationship to T1407, which is a mobile ATT&CK technique for Android and iOS involving download and execution of dynamic code after installation.
This take does not assert active exploitation, actor use, detection efficacy, or customer exposure. The ATT&CK record is sparse, so local mobile management architecture, app portfolio, telemetry access, and privacy constraints are required to determine real coverage.
Detection of Download New Code at Runtime
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1407 | Download New Code at Runtime | This object detects Download New Code at Runtime. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5f06eeb2bd28… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0618Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.