Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0689: Detection of System Runtime API Hijacking

DET0689 is a mobile ATT&CK detection strategy for System Runtime API Hijacking, related to Android. The business issue is persistence at a very low level o...

MobileDET0689Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0689 is a mobile ATT&CK detection strategy for System Runtime API Hijacking, related to Android. The business issue is persistence at a very low level of the mobile operating environment: if an adversary can replace or hook a standard OS API library, malicious code may run whenever affected API functions are invoked. For leaders, this is less about a single alert and more about whether mobile security, incident response, and compliance evidence can prove that runtime integrity is being monitored on devices that matter to the business.

Executive priority

Prioritize this where Android devices support sensitive workflows, privileged access, operational processes, or regulated data handling. Executives should ask whether the organization can validate OS/runtime integrity, identify modified system libraries, and respond when a device may be persistently compromised. Because the ATT&CK detection object provides no official detection text or platform list of its own, coverage decisions should be based on the related Android technique, local mobile fleet risk, and available telemetry rather than assuming existing SOC tools already cover it.

Technical view

This detection strategy detects T1625.001, System Runtime API Hijacking, in the mobile domain. The related technique describes adversaries overwriting the standard Android OS API library with a malicious alternative to hook core functions and gain recurring execution. SOC, mobile security, and IR teams should validate whether they can observe system/runtime library integrity changes, unexpected replacement of OS API components, signs of hooking into core functions, and device state changes that make such tampering possible. Because no official DET0689 detection logic is supplied, teams should treat this as a coverage validation objective rather than a ready-to-implement analytic.

Likely telemetry

  • Mobile device integrity or attestation results for Android devices
  • File integrity or system partition change evidence for OS/runtime libraries
  • Mobile EDR or MTD observations related to runtime hooking or tampering
  • Device management posture signals such as rooted, unlocked, or non-compliant state where available
  • Application/runtime crash, anomaly, or behavioral telemetry that may indicate API interception

Detection direction

  • Map DET0689 coverage to T1625.001 and confirm whether Android runtime or OS library modification is visible in current mobile telemetry.
  • Validate that alerts distinguish legitimate OS updates, vendor maintenance, and approved device images from unauthorized runtime/library replacement.
  • Test whether mobile security tooling can surface persistence-oriented runtime tampering, not only malicious application installation.
  • Review blind spots for unmanaged Android devices, personal/BYOD devices, devices without mobile threat defense, and devices with limited forensic access.
  • Ensure SOC playbooks route suspected runtime API hijacking to mobile IR workflows because endpoint-style triage may not provide sufficient evidence on Android.

Mitigation priorities

  • Start with asset and use-case scoping: identify Android devices that support sensitive access, operations, or regulated workflows.
  • Require device compliance controls and integrity posture checks before granting access to important applications or data where feasible.
  • Maintain mobile OS and device management hygiene so approved baselines and update states are known and auditable.
  • Plan incident response actions for suspected runtime tampering, including isolation, evidence preservation, reimaging or replacement decisions, and credential review for accounts used from affected devices.
  • Use compliance evidence to show that mobile runtime integrity risk is governed, especially where Android devices are part of critical business processes.
Analyst notes and limits

The supplied ATT&CK detection strategy has no official description, no official detection text, no tactics, and no platforms specified. The practical interpretation comes from its explicit relationship to T1625.001, System Runtime API Hijacking, whose related platform is Android and whose description addresses overwriting standard OS API libraries to hook core functions for persistence.

This take does not assert active exploitation, attribution, impact, or guaranteed detectability. The related technique description provided is truncated, and DET0689 itself lacks detailed detection guidance. Local device management architecture, mobile telemetry access, and forensic capability are required to determine real coverage.

Official MITRE ATT&CK definition

Detection of System Runtime API Hijacking

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1625.001 System Runtime API Hijacking Sub-technique This object detects System Runtime API Hijacking.
Relationship explorer

All related ATT&CK context

detects · Technique T1625.001: System Runtime API Hijacking Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5e981ec886c4fa56...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5e981ec886c4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0689
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use