XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application. It is tracked separately from the XLoader for iOS.
|Mobile||T1626||.001||Abuse Elevation Control Mechanism: Device Administrator Permissions||
XLoader for Android requests Android Device Administrator access.
XLoader for Android covertly records phone calls.
|Mobile||T1406||Obfuscated Files or Information||
XLoader for Android loads an encrypted DEX code payload.
|Mobile||T1636||.004||Protected User Data: SMS Messages||
XLoader for Android collects SMS messages.
|Mobile||T1426||System Information Discovery||
XLoader for Android collects the device’s Android ID and serial number.
|Mobile||T1422||System Network Configuration Discovery||
XLoader for Android collects the device’s IMSI and ICCID.
|Mobile||T1481||.001||Web Service: Dead Drop Resolver||
XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.