The sub-techniques beta is now live! Read the release blog post for more info.

Exodus

Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).[1]

ID: S0405
Associated Software: Exodus One, Exodus Two
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 03 September 2019
Last Modified: 14 October 2019

Associated Software Descriptions

Name Description
Exodus One [1]
Exodus Two [1]

Techniques Used

Domain ID Name Use
Mobile T1435 Access Calendar Entries

Exodus Two can exfiltrate calendar events. [1]

Mobile T1433 Access Call Log

Exodus Two can exfiltrate the call log. [1]

Mobile T1432 Access Contact List

Exodus Two can download the address book. [1]

Mobile T1409 Access Stored Application Data

Exodus Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.[1]

Mobile T1418 Application Discovery

Exodus Two can obtain a list of installed applications. [1]

Mobile T1429 Capture Audio

Exodus Two can record audio from the compromised device's microphone and can record call audio in 3GP format. [1]

Mobile T1512 Capture Camera

Exodus Two can take pictures with the device cameras. [1]

Mobile T1412 Capture SMS Messages

Exodus Two can capture SMS messages.[1]

Mobile T1532 Data Encrypted

Exodus One encrypts data using XOR prior to exfiltration. [1]

Mobile T1533 Data from Local System

Exodus Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

Exodus One has been distributed via the Play Store. [1]

Mobile T1407 Download New Code at Runtime

Exodus One, after checking in, sends a POST request and then downloads Exodus Two, the second stage binaries. [1]

Mobile T1404 Exploit OS Vulnerability

Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit. [1]

Mobile T1430 Location Tracking

Exodus Two can extract the GPS coordinates of the device.[1]

Mobile T1507 Network Information Discovery

Exodus Two collects a list of nearby base stations. [1]

Mobile T1513 Screen Capture

Exodus Two can take screenshots of any application in the foreground. [1]

Mobile T1437 Standard Application Layer Protocol

Exodus One checks in with the command and control server using HTTP POST requests. [1]

Mobile T1422 System Network Configuration Discovery

Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection. [1]

Mobile T1509 Uncommonly Used Port

Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.[1]

References