S0314: X-Agent for Android

X-Agent for Android is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. [1] Is it tracked separately from the CHOPSTICK.

MobileS0314MalwareObject v1.0 Modified Apr 25, 2025, 14:40 UTC (UTC+00:00)

X-Agent for Android matters because it shows how a mobile app that appears legitimate can become a source of sensitive physical-location intelligence. In the cited ATT&CK description, the malware was placed in a repackaged Ukrainian artillery targeting application and reportedly collected general location data that could indicate where the victim device was used. For leaders, the key issue is not only mobile malware cleanup; it is whether trusted operational apps, field devices, and location permissions could expose personnel, assets, or mission activity.

Executive priority

Prioritize this behavior where Android devices support field operations, sensitive travel, defense, public safety, executive protection, or other location-sensitive workflows. Leaders should ask whether mobile app sourcing, permission governance, device management, and incident response plans can prove that operational apps are legitimate and that location access is justified. This object also supports cyber-physical risk discussions because device location data can translate into real-world operational exposure.

Technical view

ATT&CK provides no official detection text for S0314, so SOC and IR teams should validate coverage through the related behaviors: Location Tracking (T1430) and Match Legitimate Name or Location (T1655.001). Practical validation should focus on Android app provenance, repackaged or lookalike applications, suspicious use of location permissions, and mobile device events showing unexpected location access by apps that resemble trusted operational software. The relationship context states APT28 uses this malware, but local detections should be behavior-led rather than dependent on attribution.

Likely telemetry

Mobile device management or enterprise mobility inventory showing installed Android applications, package names, versions, and sources
Application manifest and permission data, especially location-related permissions such as fine, coarse, or background location access where available
Mobile threat defense or endpoint telemetry for repackaged applications, suspicious APK signatures, or applications mimicking legitimate names/icons/locations
Android device logs or security events showing location access patterns, app installation events, and app updates
App store, sideloading, certificate/signature, and allowlist/denylist records for operational mobile applications

Detection direction

Confirm whether the organization can distinguish approved operational Android apps from repackaged or lookalike versions by package name, signing certificate, source, and version.
Tune monitoring for applications that request or use location permissions inconsistent with their approved business purpose, while accounting for legitimate navigation, logistics, safety, and field-service applications.
Review blind spots around unmanaged personal devices, sideloaded APKs, third-party app distribution, and devices used in remote or field environments that may not report consistently.
Correlate suspicious app identity findings with location-permission use rather than relying on malware family names alone, since ATT&CK provides no detection procedure for this object.
Use the APT28 relationship as threat-intelligence context for prioritization, not as proof of local activity or attribution.

Mitigation priorities

Establish a controlled source of approved mobile applications for sensitive Android use cases and restrict sideloading where operationally feasible.
Require validation of app identity through signing certificates, package metadata, and approved versions for mission or business-critical mobile apps.
Apply least-privilege permission governance for location access, including review of background location access where supported by the platform and management tooling.
Ensure mobile device management or equivalent controls provide inventory, compliance status, and incident response access for devices used in sensitive operations.
Include mobile app repackaging and location-data exposure scenarios in incident response playbooks, tabletop exercises, and compliance evidence collection.

Analyst notes and limits

The business relevance is strongest for organizations where mobile location data can expose people, assets, or operations. The supplied ATT&CK relationships tie this malware to Location Tracking and masquerading through legitimate-looking names or locations, which should drive defensive validation. The APT28 relationship is included as context from ATT&CK, but this take avoids asserting active exploitation or customer exposure.

ATT&CK does not provide official detection guidance, tactics, platforms on the object record, aliases, or labels for this malware entry. The Android focus is supported by the object name and description, but local applicability depends on whether the organization uses Android devices and whether relevant mobile telemetry is collected. Defensive recommendations require validation against the organization’s device ownership model, privacy/legal constraints, and mobile management capabilities.

Official MITRE ATT&CK definition

X-Agent for Android

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1655.001	Match Legitimate Name or Location Sub-technique	X-Agent for Android was placed in a repackaged version of an application used by Ukrainian artillery forces.CitationCrowdStrike-Android
Mobile	T1430	Location Tracking	X-Agent for Android was believed to have been used to obtain locational data of Ukrainian artillery forces.CitationCrowdStrike-Android

Associated objects

Groups, software, and campaigns

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Relationship explorer

All related ATT&CK context

uses · Technique T1655.001: Match Legitimate Name or Location Mobile uses · Group G0007: APT28 Mobile uses · Technique T1430: Location Tracking Mobile

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 25, 2017, 14:48 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:40 UTC (UTC+00:00)
Raw hash: ec4a8b8cd4beed4d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 25, 2025, 14:40 UTC (UTC+00:00)	Current bundle	`ec4a8b8cd4be…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
CrowdStrike-Android

CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.
Open source URL
[2]
X-Agent for Android

(Citation: CrowdStrike-Android)
[3]
mitre-attack S0314
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use