Skip to content

S0494 Zen

Zen is Android malware that was first seen in 2013.1

Item Value
ID S0494
Associated Names
Version 1.0
Created 27 July 2020
Last Modified 11 August 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1407 Download New Code at Runtime Zen can dynamically load executable code from remote sources.1
mobile T1404 Exploitation for Privilege Escalation Zen can obtain root access via a rooting trojan in its infection chain.1
mobile T1643 Generate Traffic from Victim Zen can simulate user clicks on ads.1
mobile T1625 Hijack Execution Flow -
mobile T1625.001 System Runtime API Hijacking Zen can install itself on the system partition to achieve persistence. Zen can also replace framework.jar, which allows it to intercept and modify the behavior of the standard Android API.1
mobile T1629 Impair Defenses -
mobile T1629.003 Disable or Modify Tools Zen can modify the SELinux enforcement mode.1
mobile T1516 Input Injection Zen can simulate user clicks on ads and system prompts to create new Google accounts.1
mobile T1406 Obfuscated Files or Information Zen base64 encodes one of the strings it searches for.1
mobile T1631 Process Injection -
mobile T1631.001 Ptrace System Calls Zen can inject code into the Setup Wizard at runtime to extract CAPTCHA images. Zen can inject code into the libc of running processes to infect them with the malware.1