S0318 XLoader for Android
XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.12 It is tracked separately from the XLoader for iOS.
| Item | Value |
|---|---|
| ID | S0318 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 17 October 2018 |
| Last Modified | 16 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1429 | Capture Audio | XLoader for Android covertly records phone calls.2 |
| mobile | T1412 | Capture SMS Messages | XLoader for Android collects SMS messages.2 |
| mobile | T1476 | Deliver Malicious App via Other Means | XLoader for Android has been distributed via phishing websites.1 |
| mobile | T1401 | Device Administrator Permissions | XLoader for Android requests Android Device Administrator access.2 |
| mobile | T1444 | Masquerade as Legitimate Application | XLoader for Android has masqueraded as an Android security application.1 |
| mobile | T1406 | Obfuscated Files or Information | XLoader for Android loads an encrypted DEX code payload.2 |
| mobile | T1426 | System Information Discovery | XLoader for Android collects the device’s Android ID and serial number.1 |
| mobile | T1422 | System Network Configuration Discovery | XLoader for Android collects the device’s IMSI and ICCID.1 |
| mobile | T1481 | Web Service | XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.1 |