Exodus

Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).[1]

ID: S0405
Associated Software: Exodus One, Exodus Two
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 03 September 2019
Last Modified: 14 October 2019

Associated Software Descriptions

Name Description
Exodus One

[1]

Exodus Two

[1]

Techniques Used

Domain ID Name Use
Mobile T1435 Access Calendar Entries

Exodus Two can exfiltrate calendar events.[1]

Mobile T1433 Access Call Log

Exodus Two can exfiltrate the call log.[1]

Mobile T1432 Access Contact List

Exodus Two can download the address book.[1]

Mobile T1409 Access Stored Application Data

Exodus Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.[1]

Mobile T1418 Application Discovery

Exodus Two can obtain a list of installed applications.[1]

Mobile T1429 Capture Audio

Exodus Two can record audio from the compromised device's microphone and can record call audio in 3GP format.[1]

Mobile T1512 Capture Camera

Exodus Two can take pictures with the device cameras.[1]

Mobile T1412 Capture SMS Messages

Exodus Two can capture SMS messages.[1]

Mobile T1532 Data Encrypted

Exodus One encrypts data using XOR prior to exfiltration.[1]

Mobile T1533 Data from Local System

Exodus Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

Exodus One has been distributed via the Play Store.[1]

Mobile T1407 Download New Code at Runtime

Exodus One, after checking in, sends a POST request and then downloads Exodus Two, the second stage binaries.[1]

Mobile T1404 Exploit OS Vulnerability

Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.[1]

Mobile T1430 Location Tracking

Exodus Two can extract the GPS coordinates of the device.[1]

Mobile T1507 Network Information Discovery

Exodus Two collects a list of nearby base stations.[1]

Mobile T1513 Screen Capture

Exodus Two can take screenshots of any application in the foreground.[1]

Mobile T1437 Standard Application Layer Protocol

Exodus One checks in with the command and control server using HTTP POST requests.[1]

Mobile T1422 System Network Configuration Discovery

Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.[1]

Mobile T1509 Uncommonly Used Port

Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.[1]

References