S0304: Android/Chuli.A
Android/Chuli.A is Android malware that was delivered to activist groups via a spearphishing email with an attachment. [1]
Analyst context for executives and security teams
Android/Chuli.A matters because the ATT&CK record describes mobile malware delivered by spearphishing attachment and associated with collection of sensitive mobile data such as location, call logs, contacts, SMS messages, and device system information. For leaders, the practical issue is not just one named Android malware family; it is whether the organization can govern and investigate mobile devices that may hold executive communications, activist or high-risk user data, contacts, and location history.
Executive priority
Prioritize this as a mobile security and incident readiness question for Android users who handle sensitive communications or travel. Executives should ask whether mobile phishing, application permissions, location access, SMS/contact exposure, and mobile network communications are visible enough to support incident decisions and compliance evidence. Because ATT&CK provides no official detection text and no tactics for this object, coverage should be validated through local telemetry rather than assumed from existing endpoint or email controls.
Technical view
SOC and IR teams should validate Android-focused visibility around spearphishing attachment intake, suspicious application installation, app permission access to contacts/SMS/call logs/location, device system information queries, and outbound web-protocol communications. Relationship context links Android/Chuli.A to System Information Discovery, Location Tracking, Web Protocols, Call Log, Contact List, SMS Messages, and Out of Band Data. Detection engineering should map those behaviors to mobile device management, mobile threat defense, email security, DNS/proxy, and device forensic sources where available, while accounting for limited visibility on personal or unmanaged Android devices.
Likely telemetry
- Email security logs for spearphishing messages and attachments delivered to Android users
- Mobile device management inventory, enrollment status, OS version, and application inventory
- Android application permission data for location, contacts, SMS, and call log access
- Mobile threat defense alerts or device forensic artifacts for suspicious Android applications
- Network, DNS, proxy, or secure web gateway records showing HTTP/HTTPS communications from mobile devices
Detection direction
- Do not rely on a malware-name signature alone; validate behavioral coverage for the related ATT&CK techniques.
- Tune for unusual Android apps requesting combinations of sensitive permissions, especially contacts, SMS, call logs, and location.
- Review mobile-originated HTTP/HTTPS traffic patterns carefully because web protocols may blend with normal mobile app traffic.
- Correlate email attachment delivery with subsequent Android app installation or permission changes when telemetry allows.
- Identify blind spots for bring-your-own-device, unenrolled Android devices, encrypted mobile traffic, and out-of-band channels such as SMS, NFC, Bluetooth, or push notification abuse.
Mitigation priorities
- Establish mobile phishing defenses and user reporting paths for Android users who handle sensitive communications.
- Require enrollment and policy enforcement for Android devices accessing organizational data where business and legal requirements allow.
- Limit access from unmanaged or noncompliant mobile devices to sensitive email, collaboration, and identity-backed services.
- Review and govern app permissions for location, contacts, SMS, and call logs, prioritizing high-risk users and sensitive roles.
- Maintain mobile incident response playbooks that cover evidence preservation, device isolation, credential review, and communication data exposure assessment.
Analyst notes and limits
The ATT&CK object identifies Android/Chuli.A as Android malware delivered to activist groups via spearphishing email with an attachment and provides relationships to several mobile techniques. The strongest defensive value is in validating mobile telemetry and controls for sensitive data collection and mobile command-and-control patterns, not in assuming broad coverage from conventional desktop EDR.
Official detection is not provided, tactics are not specified, and the supplied description is brief. The assessment is therefore behavior- and relationship-driven. Local device ownership models, mobile management coverage, privacy constraints, and available forensic telemetry will determine what can actually be detected or proven.
Android/Chuli.A
Android/Chuli.A is Android malware that was delivered to activist groups via a spearphishing email with an attachment. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.002 | Call Log Sub-technique | Android/Chuli.A stole call logs.CitationKaspersky-WUC |
| Mobile | T1437.001 | Web Protocols Sub-technique | Android/Chuli.A used HTTP uploads to a URL as a command and control mechanism.CitationKaspersky-WUC |
| Mobile | T1636.004 | SMS Messages Sub-technique | Android/Chuli.A stole SMS message content.CitationKaspersky-WUC |
| Mobile | T1426 | System Information Discovery | Android/Chuli.A gathered system information including phone number, OS version, phone model, and SDK version.CitationKaspersky-WUC |
| Mobile | T1430 | Location Tracking | Android/Chuli.A stole geo-location data.CitationKaspersky-WUC |
| Mobile | T1644 | Out of Band Data | Android/Chuli.A used SMS to receive command and control messages.CitationKaspersky-WUC |
| Mobile | T1636.003 | Contact List Sub-technique | Android/Chuli.A stole contact list data stored both on the the phone and the SIM card.CitationKaspersky-WUC |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a0c998abde41… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky-WUC
Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.
Open source URL -
[2]
Android/Chuli.A
(Citation: Kaspersky-WUC)
-
[3]
mitre-attack S0304Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.