Zen is Android malware that was first seen in 2013.[1]

ID: S0494
Platforms: Android
Version: 1.0
Created: 27 July 2020
Last Modified: 11 August 2020

Techniques Used

Domain ID Name Use
Mobile T1407 Download New Code at Runtime

Zen can dynamically load executable code from remote sources.[1]

Mobile T1404 Exploitation for Privilege Escalation

Zen can obtain root access via a rooting trojan in its infection chain.[1]

Mobile T1643 Generate Traffic from Victim

Zen can simulate user clicks on ads.[1]

Mobile T1625 .001 Hijack Execution Flow: System Runtime API Hijacking

Zen can install itself on the system partition to achieve persistence. Zen can also replace framework.jar, which allows it to intercept and modify the behavior of the standard Android API.[1]

Mobile T1629 .003 Impair Defenses: Disable or Modify Tools

Zen can modify the SELinux enforcement mode.[1]

Mobile T1516 Input Injection

Zen can simulate user clicks on ads and system prompts to create new Google accounts.[1]

Mobile T1406 Obfuscated Files or Information

Zen base64 encodes one of the strings it searches for.[1]

Mobile T1631 .001 Process Injection: Ptrace System Calls

Zen can inject code into the Setup Wizard at runtime to extract CAPTCHA images. Zen can inject code into the libc of running processes to infect them with the malware.[1]