Skip to content

S0318 XLoader for Android

XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.12 It is tracked separately from the XLoader for iOS.

Item Value
ID S0318
Associated Names
Version 2.0
Created 17 October 2018
Last Modified 16 October 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1429 Capture Audio XLoader for Android covertly records phone calls.2
mobile T1412 Capture SMS Messages XLoader for Android collects SMS messages.2
mobile T1476 Deliver Malicious App via Other Means XLoader for Android has been distributed via phishing websites.1
mobile T1401 Device Administrator Permissions XLoader for Android requests Android Device Administrator access.2
mobile T1444 Masquerade as Legitimate Application XLoader for Android has masqueraded as an Android security application.1
mobile T1406 Obfuscated Files or Information XLoader for Android loads an encrypted DEX code payload.2
mobile T1426 System Information Discovery XLoader for Android collects the device’s Android ID and serial number.1
mobile T1422 System Network Configuration Discovery XLoader for Android collects the device’s IMSI and ICCID.1
mobile T1481 Web Service XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.1


Back to top