Skip to content

S0405 Exodus

Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).1

Item Value
ID S0405
Associated Names Exodus One, Exodus Two
Type MALWARE
Version 1.0
Created 03 September 2019
Last Modified 14 October 2019
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Exodus One 1
Exodus Two 1

Techniques Used

Domain ID Name Use
mobile T1435 Access Calendar Entries Exodus Two can exfiltrate calendar events.1
mobile T1433 Access Call Log Exodus Two can exfiltrate the call log.1
mobile T1432 Access Contact List Exodus Two can download the address book.1
mobile T1409 Access Stored Application Data Exodus Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.1
mobile T1418 Application Discovery Exodus Two can obtain a list of installed applications.1
mobile T1429 Capture Audio Exodus Two can record audio from the compromised device’s microphone and can record call audio in 3GP format.1
mobile T1512 Capture Camera Exodus Two can take pictures with the device cameras.1
mobile T1412 Capture SMS Messages Exodus Two can capture SMS messages.1
mobile T1532 Data Encrypted Exodus One encrypts data using XOR prior to exfiltration.1
mobile T1533 Data from Local System Exodus Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network’s password.1
mobile T1475 Deliver Malicious App via Authorized App Store Exodus One has been distributed via the Play Store.1
mobile T1407 Download New Code at Runtime Exodus One, after checking in, sends a POST request and then downloads Exodus Two, the second stage binaries.1
mobile T1404 Exploit OS Vulnerability Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.1
mobile T1430 Location Tracking Exodus Two can extract the GPS coordinates of the device.1
mobile T1507 Network Information Discovery Exodus Two collects a list of nearby base stations.1
mobile T1513 Screen Capture Exodus Two can take screenshots of any application in the foreground.1
mobile T1437 Standard Application Layer Protocol Exodus One checks in with the command and control server using HTTP POST requests.1
mobile T1422 System Network Configuration Discovery Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.1
mobile T1509 Uncommonly Used Port Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.1

References

Back to top