XLoader for Android

XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.[1][2] It is tracked separately from the XLoader for iOS.

ID: S0318
Platforms: Android
Version: 2.0
Created: 17 October 2018
Last Modified: 16 October 2020

Techniques Used

Domain ID Name Use
Mobile T1429 Capture Audio

XLoader for Android covertly records phone calls.[2]

Mobile T1412 Capture SMS Messages

XLoader for Android collects SMS messages.[2]

Mobile T1476 Deliver Malicious App via Other Means

XLoader for Android has been distributed via phishing websites.[1]

Mobile T1401 Device Administrator Permissions

XLoader for Android requests Android Device Administrator access.[2]

Mobile T1444 Masquerade as Legitimate Application

XLoader for Android has masqueraded as an Android security application.[1]

Mobile T1406 Obfuscated Files or Information

XLoader for Android loads an encrypted DEX code payload.[2]

Mobile T1426 System Information Discovery

XLoader for Android collects the device’s Android ID and serial number.[1]

Mobile T1422 System Network Configuration Discovery

XLoader for Android collects the device’s IMSI and ICCID.[1]

Mobile T1481 Web Service

XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.[1]