T1625: Hijack Execution Flow
Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time.
There are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.
Analyst context for executives and security teams
Hijack Execution Flow on Android matters because it can let malicious code run when legitimate applications or OS components execute, potentially recurring over time as a persistence mechanism. For leaders, the practical issue is whether mobile devices accessing enterprise resources can be trusted at the OS and system-partition level, not just whether installed apps look acceptable.
Executive priority
Prioritize this where Android devices are used for enterprise access, privileged workflows, regulated data, or operational communications. The ATT&CK mitigation relationships point to device trust controls: remote attestation and Verified Boot/system partition integrity. Executives should ask whether failed-attestation or integrity-compromised devices are actually blocked from enterprise resources and whether SOC/IR teams receive usable evidence when mobile execution integrity is suspect.
Technical view
This ATT&CK object has no official detection text and no tactic listed, so coverage should be validated from available mobile security controls rather than assumed. SOC and IR teams should focus on Android execution-integrity evidence: signs that normal program, library, resource, or API resolution has been altered; device attestation failures; Verified Boot or system partition integrity failures; and context from the related sub-technique T1625.001, System Runtime API Hijacking, which describes overwriting standard Android OS API libraries with malicious alternatives. The related software YiSpecter is listed as using this technique, but the supplied data should not be treated as evidence of current activity in any environment.
Likely telemetry
- Android remote attestation results, including pass/fail status where available
- Verified Boot and system partition integrity status
- Mobile device management or mobile threat defense device-compliance events
- Mobile EDR or security agent alerts for abnormal application execution, library loading, or OS resource access where available
- File or system integrity observations for protected OS libraries, APIs, directories, and resources where supported
Detection direction
- Confirm whether DET0694, Detection of Hijack Execution Flow, is implemented or mapped in local detection content; the supplied ATT&CK fields do not provide the strategy details.
- Validate that Android integrity and attestation failures generate alerts, cases, or access-control actions rather than remaining only in MDM inventory data.
- Tune detections to correlate execution-flow anomalies with device integrity status, OS/library/resource changes, and enterprise access attempts to reduce noisy standalone mobile alerts.
- Review blind spots for unmanaged Android devices, devices without attestation support, devices where mobile telemetry is not forwarded to the SOC, and controls that report compliance without preserving investigation detail.
- Use T1625.001 as relationship-driven context when validating whether system runtime API or OS library tampering would be visible in available telemetry.
Mitigation priorities
- Enable remote attestation capabilities when available and prohibit devices that fail attestation from accessing enterprise resources, consistent with M1002 Attestation.
- Ensure Android devices include and enable Verified Boot to cryptographically protect system partition integrity, consistent with M1004 System Partition Integrity.
- Make device trust enforcement part of identity and access decisions for enterprise applications, not only a mobile operations report.
- Define IR handling for failed attestation or system integrity events, including containment of enterprise access and preservation of available mobile telemetry.
- Document attestation and Verified Boot enforcement as compliance evidence where mobile device trust is in scope.
Analyst notes and limits
The object is a mobile ATT&CK technique for Android with no official detection guidance and no listed tactics. The strongest defensive direction comes from the supplied mitigation relationships to Attestation and System Partition Integrity, plus the related Android sub-technique System Runtime API Hijacking. Treat local mobile management, access-control, and security telemetry as the deciding evidence for coverage.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish active exploitation, customer exposure, attribution, business impact, or guaranteed detection. The related detection strategy is named but not described in the supplied data, so implementation details must be validated locally.
Hijack Execution Flow
Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time.
There are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1625.001 | System Runtime API Hijacking Sub-technique | System Runtime API Hijacking subtechnique of this object. |
Groups, software, and campaigns
S0311: YiSpecter
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | bb0a4df1d693… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NIST Mobile Threat Catalogue APP-27Open source URL
-
[2]
mitre-attack T1625Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.