XLoader for Android

XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.[1][2] It is tracked separately from the XLoader for iOS.

ID: S0318
Platforms: Android
Version: 2.0
Created: 17 October 2018
Last Modified: 24 October 2022

Techniques Used

Domain ID Name Use
Mobile T1626 .001 Abuse Elevation Control Mechanism: Device Administrator Permissions

XLoader for Android requests Android Device Administrator access.[2]

Mobile T1429 Audio Capture

XLoader for Android covertly records phone calls.[2]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

XLoader for Android has masqueraded as an Android security application.[1]

Mobile T1406 Obfuscated Files or Information

XLoader for Android loads an encrypted DEX code payload.[2]

Mobile T1636 .004 Protected User Data: SMS Messages

XLoader for Android collects SMS messages.[2]

Mobile T1426 System Information Discovery

XLoader for Android collects the device’s Android ID and serial number.[1]

Mobile T1422 System Network Configuration Discovery

XLoader for Android collects the device’s IMSI and ICCID.[1]

Mobile T1481 .001 Web Service: Dead Drop Resolver

XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.[1]