XLoader for Android
XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.[1][2] It is tracked separately from the XLoader for iOS.
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1626 | .001 | Abuse Elevation Control Mechanism: Device Administrator Permissions |
XLoader for Android requests Android Device Administrator access.[2] |
| Mobile | T1429 | Audio Capture |
XLoader for Android covertly records phone calls.[2] |
|
| Mobile | T1655 | .001 | Masquerading: Match Legitimate Name or Location |
XLoader for Android has masqueraded as an Android security application.[1] |
| Mobile | T1406 | Obfuscated Files or Information |
XLoader for Android loads an encrypted DEX code payload.[2] |
|
| Mobile | T1636 | .004 | Protected User Data: SMS Messages |
XLoader for Android collects SMS messages.[2] |
| Mobile | T1426 | System Information Discovery |
XLoader for Android collects the device’s Android ID and serial number.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
XLoader for Android collects the device’s IMSI and ICCID.[1] |
|
| Mobile | T1481 | .001 | Web Service: Dead Drop Resolver |
XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.[1] |