Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).[1]

ID: S0405
Associated Software: Exodus One, Exodus Two
Platforms: Android
Version: 1.0
Created: 03 September 2019
Last Modified: 14 October 2019

Associated Software Descriptions

Name Description
Exodus One


Exodus Two


Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

Exodus One checks in with the command and control server using HTTP POST requests.[1]

Mobile T1532 Archive Collected Data

Exodus One encrypts data using XOR prior to exfiltration.[1]

Mobile T1429 Audio Capture

Exodus Two can record audio from the compromised device's microphone and can record call audio in 3GP format.[1]

Mobile T1533 Data from Local System

Exodus Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.[1]

Mobile T1407 Download New Code at Runtime

Exodus One, after checking in, sends a POST request and then downloads Exodus Two, the second stage binaries.[1]

Mobile T1404 Exploitation for Privilege Escalation

Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.[1]

Mobile T1430 Location Tracking

Exodus Two can extract the GPS coordinates of the device.[1]

Mobile T1509 Non-Standard Port

Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.[1]

Mobile T1636 .001 Protected User Data: Calendar Entries

Exodus Two can exfiltrate calendar events.[1]

.002 Protected User Data: Call Log

Exodus Two can exfiltrate the call log.[1]

.003 Protected User Data: Contact List

Exodus Two can download the address book.[1]

.004 Protected User Data: SMS Messages

Exodus Two can capture SMS messages.[1]

Mobile T1513 Screen Capture

Exodus Two can take screenshots of any application in the foreground.[1]

Mobile T1418 Software Discovery

Exodus Two can obtain a list of installed applications.[1]

Mobile T1409 Stored Application Data

Exodus Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.[1]

Mobile T1422 System Network Configuration Discovery

Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.[1]

Mobile T1421 System Network Connections Discovery

Exodus Two collects a list of nearby base stations.[1]

Mobile T1512 Video Capture

Exodus Two can take pictures with the device cameras.[1]