mobile |
T1435 |
Access Calendar Entries |
Exodus Two can exfiltrate calendar events. |
mobile |
T1433 |
Access Call Log |
Exodus Two can exfiltrate the call log. |
mobile |
T1432 |
Access Contact List |
Exodus Two can download the address book. |
mobile |
T1409 |
Access Stored Application Data |
Exodus Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat. |
mobile |
T1418 |
Application Discovery |
Exodus Two can obtain a list of installed applications. |
mobile |
T1429 |
Capture Audio |
Exodus Two can record audio from the compromised device’s microphone and can record call audio in 3GP format. |
mobile |
T1512 |
Capture Camera |
Exodus Two can take pictures with the device cameras. |
mobile |
T1412 |
Capture SMS Messages |
Exodus Two can capture SMS messages. |
mobile |
T1532 |
Data Encrypted |
Exodus One encrypts data using XOR prior to exfiltration. |
mobile |
T1533 |
Data from Local System |
Exodus Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network’s password. |
mobile |
T1475 |
Deliver Malicious App via Authorized App Store |
Exodus One has been distributed via the Play Store. |
mobile |
T1407 |
Download New Code at Runtime |
Exodus One, after checking in, sends a POST request and then downloads Exodus Two, the second stage binaries. |
mobile |
T1404 |
Exploit OS Vulnerability |
Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit. |
mobile |
T1430 |
Location Tracking |
Exodus Two can extract the GPS coordinates of the device. |
mobile |
T1507 |
Network Information Discovery |
Exodus Two collects a list of nearby base stations. |
mobile |
T1513 |
Screen Capture |
Exodus Two can take screenshots of any application in the foreground. |
mobile |
T1437 |
Standard Application Layer Protocol |
Exodus One checks in with the command and control server using HTTP POST requests. |
mobile |
T1422 |
System Network Configuration Discovery |
Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection. |
mobile |
T1509 |
Uncommonly Used Port |
Exodus Two attempts to connect to port 22011 to provide a remote reverse shell. |