S0318 XLoader for Android
XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.12 It is tracked separately from the XLoader for iOS.
| Item | Value |
|---|---|
| ID | S0318 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 17 October 2018 |
| Last Modified | 24 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1626 | Abuse Elevation Control Mechanism | - |
| mobile | T1626.001 | Device Administrator Permissions | XLoader for Android requests Android Device Administrator access.2 |
| mobile | T1429 | Audio Capture | XLoader for Android covertly records phone calls.2 |
| mobile | T1406 | Obfuscated Files or Information | XLoader for Android loads an encrypted DEX code payload.2 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.004 | SMS Messages | XLoader for Android collects SMS messages.2 |
| mobile | T1426 | System Information Discovery | XLoader for Android collects the device’s Android ID and serial number.1 |
| mobile | T1422 | System Network Configuration Discovery | XLoader for Android collects the device’s IMSI and ICCID.1 |
| mobile | T1481 | Web Service | - |
| mobile | T1481.001 | Dead Drop Resolver | XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.1 |