Skip to content

S0405 Exodus

Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).1

Item Value
ID S0405
Associated Names Exodus One, Exodus Two
Version 1.0
Created 03 September 2019
Last Modified 14 October 2019
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Exodus One 1
Exodus Two 1

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols Exodus One checks in with the command and control server using HTTP POST requests.1
mobile T1532 Archive Collected Data Exodus One encrypts data using XOR prior to exfiltration.1
mobile T1429 Audio Capture Exodus Two can record audio from the compromised device’s microphone and can record call audio in 3GP format.1
mobile T1533 Data from Local System Exodus Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network’s password.1
mobile T1407 Download New Code at Runtime Exodus One, after checking in, sends a POST request and then downloads Exodus Two, the second stage binaries.1
mobile T1404 Exploitation for Privilege Escalation Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.1
mobile T1430 Location Tracking Exodus Two can extract the GPS coordinates of the device.1
mobile T1509 Non-Standard Port Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.1
mobile T1636 Protected User Data -
mobile T1636.001 Calendar Entries Exodus Two can exfiltrate calendar events.1
mobile T1636.002 Call Log Exodus Two can exfiltrate the call log.1
mobile T1636.003 Contact List Exodus Two can download the address book.1
mobile T1636.004 SMS Messages Exodus Two can capture SMS messages.1
mobile T1513 Screen Capture Exodus Two can take screenshots of any application in the foreground.1
mobile T1418 Software Discovery Exodus Two can obtain a list of installed applications.1
mobile T1409 Stored Application Data Exodus Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.1
mobile T1422 System Network Configuration Discovery Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.1
mobile T1421 System Network Connections Discovery Exodus Two collects a list of nearby base stations.1
mobile T1512 Video Capture Exodus Two can take pictures with the device cameras.1