T1631: Process Injection
Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Both Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.
Analyst context for executives and security teams
Process Injection on mobile devices matters because code running inside a trusted or higher-privilege process can make malicious activity look like normal application or system behavior. For Android and iOS, MITRE notes there is no legitimate way to perform this; it requires existing root access or exploitation of a vulnerability. That makes this technique a high-signal indicator of serious device compromise when credible evidence is present.
Executive priority
Treat this as a mobile compromise validation issue, not just a malware behavior. Leaders should ask whether the organization can identify rooted or exploited mobile devices, preserve evidence for incident response, and prioritize vulnerabilities or device states that could enable injection. For regulated or high-risk mobile use cases, evidence of monitoring, jailbreak/root controls, and response procedures may be important for compliance and operational resilience.
Technical view
ATT&CK lists Android and iOS as platforms and provides no standalone detection text, but the relationship to DET0632 indicates a detection strategy exists for Process Injection. SOC and IR teams should validate whether mobile telemetry can show abnormal code execution inside another live process, suspicious process tracing/debug attachment behavior such as the related Ptrace System Calls sub-technique, and signs that root access or vulnerability exploitation preceded the behavior. Relationship context shows this technique is associated with mobile software entries LightSpy and FjordPhantom, so threat intelligence enrichment can help triage but should not replace local evidence.
Likely telemetry
- Mobile EDR or device security events showing process manipulation, process tracing, or debug-style attachment behavior
- Root, jailbreak, privilege escalation, or exploit indicators on Android and iOS devices
- Application integrity and runtime monitoring data showing unexpected code loaded or executed inside another process
- Mobile app inventory and installation history for suspicious or unauthorized applications
- Process-to-resource activity such as unexpected memory, system, or network resource access by otherwise legitimate processes
Detection direction
- Confirm whether mobile monitoring can observe process-level behavior on Android and iOS rather than only app installation or network indicators.
- Tune triage around the MITRE constraint that legitimate mobile process injection is not expected; credible evidence should be treated as high severity, while noisy debug or development-device activity should be separated through asset context.
- Validate coverage for the related Ptrace System Calls sub-technique where platform telemetry exposes such behavior.
- Correlate process injection signals with root/jailbreak status, exploit indicators, suspicious app installation, and unusual network or system-resource access.
- Use related software context, including LightSpy and FjordPhantom, as enrichment for investigations, not as proof of attribution or active exposure.
Mitigation priorities
- Prioritize prevention and detection of rooted, jailbroken, or otherwise compromised mobile devices because MITRE states process injection requires root access or vulnerability exploitation.
- Maintain mobile OS and application patching programs to reduce exploitable conditions that could enable this behavior.
- Restrict access to sensitive business services from devices that fail integrity, root/jailbreak, or compliance checks.
- Ensure incident response playbooks include mobile evidence preservation, device isolation, and credential review when process injection is suspected.
- Review whether mobile security controls provide auditable evidence for device integrity and runtime compromise, not only application inventory.
Analyst notes and limits
The supplied ATT&CK object is a mobile technique, not a sub-technique, with platforms Android and iOS and no listed tactics. The most decision-relevant statement is that Android and iOS have no legitimate way to achieve process injection; abuse of root access or exploitation of a vulnerability is required. Relationship context includes a detection strategy, one sub-technique for ptrace system calls, and two software examples that use the technique.
MITRE did not provide detection text for T1631 in the supplied fields, and the DET0632 relationship is named but not described here. This take therefore avoids claiming specific detection logic or coverage. Local device telemetry, MDM/mobile EDR capability, asset context, and incident evidence are required to determine exposure or confirm activity.
Process Injection
Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Both Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1631.001 | Ptrace System Calls Sub-technique | Ptrace System Calls subtechnique of this object. |
Groups, software, and campaigns
S1208: FjordPhantom
FjordPhantom is a malicious Android application first discovered in September 2024 with targets in Southeast Asia, specifically Indonesia, Thailand, and Vietnam. FjordPhantom was distributed through email and messaging applications. Once installed, the application launches a virtualization solution to steal important information, such as bank accounts, and to manipulate the user interface. The malicious activity from the virtualization solution runs alongside legitimate banking applications.[1]
S1185: LightSpy
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 927d3b9f76e7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1631Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.