S0494 Zen
Zen is Android malware that was first seen in 2013.1
| Item | Value |
|---|---|
| ID | S0494 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 27 July 2020 |
| Last Modified | 11 August 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1407 | Download New Code at Runtime | Zen can dynamically load executable code from remote sources.1 |
| mobile | T1404 | Exploitation for Privilege Escalation | Zen can obtain root access via a rooting trojan in its infection chain.1 |
| mobile | T1643 | Generate Traffic from Victim | Zen can simulate user clicks on ads.1 |
| mobile | T1625 | Hijack Execution Flow | - |
| mobile | T1625.001 | System Runtime API Hijacking | Zen can install itself on the system partition to achieve persistence. Zen can also replace framework.jar, which allows it to intercept and modify the behavior of the standard Android API.1 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.003 | Disable or Modify Tools | Zen can modify the SELinux enforcement mode.1 |
| mobile | T1516 | Input Injection | Zen can simulate user clicks on ads and system prompts to create new Google accounts.1 |
| mobile | T1406 | Obfuscated Files or Information | Zen base64 encodes one of the strings it searches for.1 |
| mobile | T1631 | Process Injection | - |
| mobile | T1631.001 | Ptrace System Calls | Zen can inject code into the Setup Wizard at runtime to extract CAPTCHA images. Zen can inject code into the libc of running processes to infect them with the malware.1 |