T1407: Download New Code at Runtime

Download New Code at Runtime matters because a mobile app can appear acceptable during store review or static scanning, then fetch and run code after installation. For leaders, this turns mobile app trust into an ongoing runtime assurance problem: the risk is not only what was in the original Android or iOS package, but what the app can later retrieve and execute.

Executive priority

Prioritize this technique where mobile devices access sensitive business data, regulated workflows, executive communications, field operations, or critical infrastructure environments. Security leaders should ask whether mobile risk management depends mainly on app-store approval and pre-install scanning, or whether the organization can observe suspicious post-install code loading, enforce current OS versions, and produce audit evidence for mobile application control decisions.

Technical view

For SOC, detection engineering, and IR teams, validate Android and iOS visibility for applications that download executable or script-like content after installation. ATT&CK specifies Android dynamic code examples including native code, Dalvik code, and JavaScript using Android WebView JavascriptInterface; iOS examples include execution through third-party libraries such as JSPatch. Because ATT&CK provides no official detection text for this object, use the related DET0618 detection strategy as a prompt to build local analytics around runtime code retrieval and execution, while accounting for legitimate hot patching, app update, and content delivery behaviors. Relationship context shows this behavior is associated with multiple Android malware families, Android/iOS malware or riskware, and the Windshift group, but local detection should be based on observed app behavior rather than attribution assumptions.

Likely telemetry

Mobile device management or enterprise mobility inventory showing Android and iOS versions, installed applications, app provenance, and update posture
Mobile threat defense or endpoint telemetry capable of observing app network activity and runtime behavior
Network logs for mobile devices or managed mobile traffic, including destinations used by apps after installation
Application analysis results that identify dynamic loading, downloaded native/Dalvik code, WebView JavaScript interface exposure, or iOS hot-patching frameworks
Mobile application allowlist/blocklist decisions and app store/reputation evidence

Detection direction

Confirm whether current mobile security tooling can distinguish normal app content updates from downloaded executable code or script execution after install.
Tune analytics for apps that retrieve code-like payloads from remote locations and then load or execute them, especially where the original package did not contain the observed functionality.
On Android, validate coverage for native code loading, Dalvik code loading, and WebView JavascriptInterface abuse patterns referenced by ATT&CK.
On iOS, review whether enterprise controls or app assessments can identify third-party runtime patching libraries such as JSPatch where relevant.
Account for false positives from legitimate remote configuration, content delivery, analytics SDKs, and authorized hot patching; require behavioral context before escalating.

Mitigation priorities

Keep mobile operating systems current, aligning with ATT&CK mitigation M1006, because newer OS versions may include security architecture improvements and blocks against observed techniques.
Strengthen mobile application governance: restrict high-risk or unapproved apps on managed devices and require risk review for apps that dynamically load code.
Use mobile threat detection or application vetting where business risk justifies runtime behavior assessment, not only static package review.
Require additional scrutiny for apps used in sensitive roles, regulated data access, executive communications, or operational technology-adjacent workflows.
Define IR playbooks for suspected mobile runtime code loading, including device isolation, app removal decisions, evidence preservation, and credential/session review where business apps are involved.

Analyst notes and limits

The strongest decision point is whether the organization can observe post-install mobile app behavior. ATT&CK links this technique to numerous mobile software entries including ZergHelper, BrainTest, RCSAndroid, YiSpecter, SpyDealer, Judy, Skygofree, Exodus, Dvmap, Anubis, Triada, Bread, EventBot, Cerberus, Mandrake, WolfRAT, Zen, Desert Scorpion, ViperRAT, eSurv, and CarbonSteal, plus the Windshift group. These relationships show the technique’s relevance across mobile riskware, spyware, banking trojans, adware, and surveillanceware, but they do not prove activity in any specific environment.

ATT&CK lists no tactics and provides no official detection procedure for T1407 in the supplied fields. Detection feasibility depends heavily on mobile platform constraints, device ownership model, MDM/MTD coverage, network visibility, app vetting depth, and whether devices are managed. This take does not assert active exploitation, customer exposure, or guaranteed detection.

Official MITRE ATT&CK definition

Download New Code at Runtime

Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with Execution Guardrails techniques, detecting malicious code downloaded after installation could be difficult.

On Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s `JavascriptInterface` capability.

On iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

G0112: Windshift

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.[1][2][3]

S9004: Crocodilus

Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]

Android

S0424: Triada

Triada was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.[1]

Android

S0420: Dvmap

Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.[1]

Android

S0506: ViperRAT

ViperRAT is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.[1]

Android

S1055: SharkBot

SharkBot is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.[1]

Android

S0505: Desert Scorpion

Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.[1]

There are multiple close variants of Desert Scorpion, such as VAMP[2], GnatSpy[3], FrozenCell and SpyC23, which add some additional functionality but are not significantly different from the original malware.

Android

S1094: BRATA

BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]

Android

S1079: BOULDSPY

BOULDSPY is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that BOULDSPY primarily targeted minority groups in Iran.[1]

Android

S0478: EventBot

EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]

Android

S0535: Golden Cup

Golden Cup is Android spyware that has been used to target World Cup fans.[1]

Android

S0432: Bread

Bread was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.[1]

Android

S0539: Red Alert 2.0

Red Alert 2.0 is a banking trojan that masquerades as a VPN client.[1]

Android

Relationship explorer

All related ATT&CK context

Mitigations

Mitigation direction

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.5
Created: Oct 25, 2017, 14:48 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: f961c00131662f9e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.5	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`f961c0013166…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
FireEye-JSPatch

Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.
Open source URL
[2]
NIST Mobile Threat Catalogue APP-20
Open source URL
[3]
mitre-attack T1407
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams

Executive priority

Technical view

Likely telemetry

Detection direction

Mitigation priorities

Download New Code at Runtime

How security teams should use this page

Groups, software, and campaigns

All related ATT&CK context

Mitigation direction

Object version and sync metadata

Mirrored ATT&CK source object

External references and citations