ATT&CK v16 has been released! Check out the blog post for more information.

Zen

Zen is Android malware that was first seen in 2013.^[1]

ID: S0494

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.0

Created: 27 July 2020

Last Modified: 11 August 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Mobile	T1407		Download New Code at Runtime	Zen can dynamically load executable code from remote sources.^[1]
Mobile	T1404		Exploitation for Privilege Escalation	Zen can obtain root access via a rooting trojan in its infection chain.^[1]
Mobile	T1643		Generate Traffic from Victim	Zen can simulate user clicks on ads.^[1]
Mobile	T1625	.001	Hijack Execution Flow: System Runtime API Hijacking	Zen can install itself on the system partition to achieve persistence. Zen can also replace `framework.jar`, which allows it to intercept and modify the behavior of the standard Android API.^[1]
Mobile	T1629	.003	Impair Defenses: Disable or Modify Tools	Zen can modify the SELinux enforcement mode.^[1]
Mobile	T1516		Input Injection	Zen can simulate user clicks on ads and system prompts to create new Google accounts.^[1]
Mobile	T1406		Obfuscated Files or Information	Zen base64 encodes one of the strings it searches for.^[1]
Mobile	T1631	.001	Process Injection: Ptrace System Calls	Zen can inject code into the Setup Wizard at runtime to extract CAPTCHA images. Zen can inject code into the `libc` of running processes to infect them with the malware.^[1]

References

Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.