S0318: XLoader for Android

XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.[1][2] It is tracked separately from the XLoader for iOS.

MobileS0318MalwareObject v2.0 Modified Apr 25, 2025, 14:40 UTC (UTC+00:00)

XLoader for Android matters because it represents malicious mobile app behavior that can turn personally or corporately used Android devices into collection and control points. The ATT&CK relationships show behaviors relevant to business risk: device and network discovery, SMS and audio collection, use of device administrator permissions, obfuscation, dead drop resolver C2 support, and app impersonation. For leaders, the key issue is whether Android devices that access business email, messaging, MFA, or sensitive workflows are governed, logged, and recoverable enough to support an incident decision.

Executive priority

Prioritize this as a mobile security and incident readiness concern, especially where Android devices are used for business access or identity verification. The decision value is not that this specific malware is present, but that the documented behaviors test whether the organization can control risky app installation, detect suspicious permissions, investigate mobile network activity, and remove or isolate a device with elevated administrator permissions. It also supports audit and compliance questions around mobile device management, acceptable use, data protection, and evidence retention.

Technical view

For SOC, detection engineering, and IR teams, validate Android-focused visibility around the related ATT&CK techniques: obfuscated app content or traffic, system and network configuration discovery, microphone access, SMS access, dead drop resolver-style network lookups, device administrator permission abuse, and apps that mimic legitimate names, icons, package names, or locations. Because MITRE provides no official detection text for this object and tactics are not specified, detections should be behavior-led and environment-specific rather than name-only. IR playbooks should confirm how to identify installed apps, permissions, device administrator status, SMS and microphone access, and recent network destinations for affected Android devices.

Likely telemetry

Mobile device management or enterprise mobility inventory for installed Android applications, package names, app names, icons, versions, and device administrator status
Android permission state and permission request history, especially SMS, microphone, and device administration permissions
Mobile endpoint security or app reputation findings for obfuscated APKs, suspicious package naming, or impersonation of trusted applications
Device network telemetry such as DNS, HTTP/S destination metadata, proxy logs, or secure web gateway logs that may show resolver-style infrastructure access
Device and OS inventory including Android version, patch level, hardware model, and network identifiers where available

Detection direction

Do not rely only on a malware family name; validate behavior-based coverage for the related techniques T1406, T1422, T1426, T1429, T1481.001, T1626.001, T1636.004, and T1655.001.
Tune for combinations of suspicious signals, such as an app impersonating a legitimate app plus requesting SMS, microphone, or device administrator permissions.
Review whether mobile network monitoring can distinguish routine web activity from unusual resolver or redirect behavior without overblocking legitimate web services.
Account for false positives from legitimate enterprise apps that collect device inventory, request administrative privileges, or use microphone/SMS capabilities for approved workflows.
Confirm that Android BYOD or unmanaged-device populations are not a blind spot, since the supplied object is Android-specific and mobile telemetry is often weaker than desktop telemetry.

Mitigation priorities

Establish or validate mobile device management controls for Android devices that access business resources, including app inventory, policy enforcement, and remote response capability.
Restrict or review high-risk permissions such as SMS, microphone, and device administrator access based on business need.
Use app allowlisting, managed app stores, or enterprise app vetting where feasible to reduce exposure to apps masquerading as legitimate software.
Require timely Android OS and security patch visibility as part of device compliance decisions.
Prepare incident response procedures for isolating, collecting evidence from, and recovering Android devices, including cases where device administrator permissions may complicate removal.

Analyst notes and limits

The ATT&CK object identifies XLoader for Android as a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018, later observed targeting South Korean users as a pornography application, and tracked separately from XLoader for iOS. The most useful defensive context comes from its ATT&CK technique relationships rather than from an official detection section, which is not provided.

This take is limited to the supplied MITRE STIX fields, external references, and relationships. The object does not provide official detection guidance, aliases, labels, or tactics, and it does not establish current exploitation, attribution, customer exposure, or guaranteed detection methods. Local device management scope, Android usage, logging, and app control evidence are required to assess actual risk and coverage.

Official MITRE ATT&CK definition

XLoader for Android

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 8 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1426	System Information Discovery	XLoader for Android collects the device’s Android ID and serial number.CitationTrendMicro-XLoader-FakeSpy
Mobile	T1429	Audio Capture	XLoader for Android covertly records phone calls.CitationTrendMicro-XLoader
Mobile	T1636.004	SMS Messages Sub-technique	XLoader for Android collects SMS messages.CitationTrendMicro-XLoader
Mobile	T1406	Obfuscated Files or Information	XLoader for Android loads an encrypted DEX code payload.CitationTrendMicro-XLoader
Mobile	T1481.001	Dead Drop Resolver Sub-technique	XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.CitationTrendMicro-XLoader-FakeSpy
Mobile	T1655.001	Match Legitimate Name or Location Sub-technique	XLoader for Android has masqueraded as an Android security application.CitationTrendMicro-XLoader-FakeSpy
Mobile	T1626.001	Device Administrator Permissions Sub-technique	XLoader for Android requests Android Device Administrator access.CitationTrendMicro-XLoader
Mobile	T1422	System Network Configuration Discovery	XLoader for Android collects the device’s IMSI and ICCID.CitationTrendMicro-XLoader-FakeSpy

Relationship explorer

All related ATT&CK context

uses · Technique T1426: System Information Discovery Mobile uses · Technique T1429: Audio Capture Mobile uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1406: Obfuscated Files or Information Mobile uses · Technique T1481.001: Dead Drop Resolver Mobile uses · Technique T1655.001: Match Legitimate Name or Location Mobile uses · Technique T1626.001: Device Administrator Permissions Mobile uses · Technique T1422: System Network Configuration Discovery Mobile

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Oct 17, 2018, 00:14 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:40 UTC (UTC+00:00)
Raw hash: 331c321b8e334e10...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	Apr 25, 2025, 14:40 UTC (UTC+00:00)	Current bundle	`331c321b8e33…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
TrendMicro-XLoader-FakeSpy

Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.
Open source URL
[2]
TrendMicro-XLoader

Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.
Open source URL
[3]
XLoader for Android

(Citation: TrendMicro-XLoader)
[4]
mitre-attack S0318
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use