The sub-techniques beta is now live! Read the release blog post for more info.


Xbot is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. [1]

ID: S0298
Type: TOOL
Platforms: Android
Version: 1.1
Created: 25 October 2017
Last Modified: 11 December 2018

Techniques Used

Domain ID Name Use
Mobile T1412 Capture SMS Messages

Xbot steals all SMS message and contact information as well as intercepts and parses certain SMS messages.[1]

Mobile T1471 Data Encrypted for Impact

Xbot can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.[1]

Mobile T1446 Device Lockout

Xbot can remotely lock infected Android devices and ask for a ransom.[1]

Mobile T1411 Input Prompt

Xbot uses phishing pages mimicking Google Play's payment interface as well as bank login pages.[1]