Zen is Android malware that was first seen in 2013.[1]

ID: S0494
Platforms: Android
Version: 1.0
Created: 27 July 2020
Last Modified: 11 August 2020

Techniques Used

Domain ID Name Use
Mobile T1540 Code Injection

Zen can inject code into the Setup Wizard at runtime to extract CAPTCHA images. Zen can inject code into the libc of running processes to infect them with the malware.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

Zen has been distributed via the Google Play Store.[1]

Mobile T1407 Download New Code at Runtime

Zen can dynamically load executable code from remote sources.[1]

Mobile T1404 Exploit OS Vulnerability

Zen can obtain root access via a rooting trojan in its infection chain.[1]

Mobile T1472 Generate Fraudulent Advertising Revenue

Zen can simulate user clicks on ads.[1]

Mobile T1516 Input Injection

Zen can simulate user clicks on ads and system prompts to create new Google accounts.[1]

Mobile T1478 Install Insecure or Malicious Configuration

Zen can modify the SELinux enforcement mode.[1]

Mobile T1400 Modify System Partition

Zen can install itself on the system partition to achieve persistence. Zen can also replace framework.jar, which allows it to intercept and modify the behavior of the standard Android API.[1]

Mobile T1406 Obfuscated Files or Information

Zen base64 encodes one of the strings it searches for.[1]