XLoader for Android
XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.[1][2] It is tracked separately from the XLoader for iOS.
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1429 | Capture Audio |
XLoader for Android covertly records phone calls.[2] |
|
| Mobile | T1412 | Capture SMS Messages |
XLoader for Android collects SMS messages.[2] |
|
| Mobile | T1476 | Deliver Malicious App via Other Means |
XLoader for Android has been distributed via phishing websites.[1] |
|
| Mobile | T1401 | Device Administrator Permissions |
XLoader for Android requests Android Device Administrator access.[2] |
|
| Mobile | T1444 | Masquerade as Legitimate Application |
XLoader for Android has masqueraded as an Android security application.[1] |
|
| Mobile | T1406 | Obfuscated Files or Information |
XLoader for Android loads an encrypted DEX code payload.[2] |
|
| Mobile | T1426 | System Information Discovery |
XLoader for Android collects the device’s Android ID and serial number.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
XLoader for Android collects the device’s IMSI and ICCID.[1] |
|
| Mobile | T1481 | Web Service |
XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.[1] |
|