Skip to content

S0318 XLoader for Android

XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.12 It is tracked separately from the XLoader for iOS.

Item Value
ID S0318
Associated Names
Version 2.0
Created 17 October 2018
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1626 Abuse Elevation Control Mechanism -
mobile T1626.001 Device Administrator Permissions XLoader for Android requests Android Device Administrator access.2
mobile T1429 Audio Capture XLoader for Android covertly records phone calls.2
mobile T1406 Obfuscated Files or Information XLoader for Android loads an encrypted DEX code payload.2
mobile T1636 Protected User Data -
mobile T1636.004 SMS Messages XLoader for Android collects SMS messages.2
mobile T1426 System Information Discovery XLoader for Android collects the device’s Android ID and serial number.1
mobile T1422 System Network Configuration Discovery XLoader for Android collects the device’s IMSI and ICCID.1
mobile T1481 Web Service -
mobile T1481.001 Dead Drop Resolver XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.1