S0405: Exodus
Analyst context for executives and security teams
Exodus is an Android spyware family described by ATT&CK as a two-stage implant: Exodus One as the dropper and Exodus Two as the payload. Its ATT&CK relationships matter because they map to broad mobile collection and surveillance behaviors, including privilege escalation, runtime code download, application and network discovery, location tracking, audio/video/screen capture, and collection of calendar, call log, contacts, SMS, local files, and stored application data. For leaders, this is a reminder that mobile risk is not only device loss; a compromised phone can expose communications, identity material, sensitive business context, and physical location.
Executive priority
Prioritize this as a mobile spyware readiness case for Android fleets, especially where executives, field staff, regulated users, or operational personnel rely on mobile devices. The decision value is to verify whether the organization can govern app installation, detect risky permission and runtime behavior, preserve mobile evidence during incidents, and demonstrate compliance controls around sensitive communications and personal data. Because ATT&CK provides no official detection text for Exodus, assurance should come from validating telemetry and response playbooks rather than assuming existing SOC coverage applies.
Technical view
Defenders should validate Android-focused coverage against the related techniques: exploitation for privilege escalation, downloading new code at runtime, software and network discovery, use of web protocols and non-standard ports, collection from local system and application data, archiving collected data, and access to microphone, camera, screen, location, calendar, call logs, contacts, and SMS. SOC and IR teams should test whether EMM/MDM, mobile threat defense, network monitoring, and device forensic processes can correlate suspicious app permissions, post-install code retrieval, unusual sensor/content-provider access, privilege or root indicators, and outbound web traffic patterns. Tactics are not specified in the supplied ATT&CK object, so detection engineering should be technique-led rather than tactic-led.
Likely telemetry
- Android app inventory, installation source, package metadata, and application update/change history
- Requested and granted Android permissions, especially microphone, camera, location, contacts, calendar, call log, SMS, storage, and background location where available
- Signals of runtime code download or execution not present in the original application package
- Mobile OS integrity, rooting, privilege escalation, exploit, or abnormal sandbox access indicators
- Access patterns to Android content providers and local storage for contacts, SMS, call logs, calendar entries, application data, and files
Detection direction
- Do not rely on static app vetting alone; the related Download New Code at Runtime technique means post-install behavior is a key validation point.
- Tune detections around combinations of suspicious permissions and behavior, such as broad personal-data access plus outbound web traffic, rather than single permissions that may be legitimate for business apps.
- Validate visibility into Android devices specifically; the ATT&CK software object platform is Android even though some related techniques also list iOS.
- Correlate privilege escalation or root indicators with access to data that normally requires elevated privileges, such as other applications’ stored data or protected local system sources.
- Review network analytics for web-protocol communications on unexpected ports, while accounting for legitimate mobile applications that also use HTTPS and varied cloud endpoints.
Mitigation priorities
- Start with mobile device governance: managed Android enrollment, approved app sources, app inventory, and the ability to remove or quarantine suspicious applications.
- Restrict and review high-risk permissions for business apps, especially microphone, camera, location, SMS, contacts, calendar, call log, and storage access.
- Maintain Android OS and application patching to reduce exposure to privilege-escalation vulnerabilities referenced by the related technique.
- Control or monitor applications that can download and execute code after installation, and prefer app-vetting processes that include behavioral analysis where available.
- Ensure mobile network protections can inspect or at least log relevant outbound destination, protocol, and port metadata without assuming HTTPS traffic is benign.
Analyst notes and limits
This take is based on the official ATT&CK S0405 software object, its Android platform designation, the description of Exodus as two-stage spyware, and the supplied relationships to mobile ATT&CK techniques. The relationship list is unusually useful for scoping defensive validation because it spans privilege escalation, runtime code loading, discovery, collection, staging, and communications behaviors.
ATT&CK provides no official detection text, no specified tactics, no aliases, and no active-exploitation or victim context in the supplied fields. Local conclusions require environment-specific evidence such as managed device coverage, installed app history, permission state, network logs, and forensic artifacts. This summary should not be read as proof that Exodus is present or that any control detects it automatically.
Exodus
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.001 | Calendar Entries Sub-technique | Exodus Two can exfiltrate calendar events.CitationSWB Exodus March 2019 |
| Mobile | T1532 | Archive Collected Data | Exodus One encrypts data using XOR prior to exfiltration.CitationSWB Exodus March 2019 |
| Mobile | T1409 | Stored Application Data | Exodus Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.CitationSWB Exodus March 2019 |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.CitationSWB Exodus March 2019 |
| Mobile | T1404 | Exploitation for Privilege Escalation | Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.CitationSWB Exodus March 2019 |
| Mobile | T1437.001 | Web Protocols Sub-technique | Exodus One checks in with the command and control server using HTTP POST requests.CitationSWB Exodus March 2019 |
| Mobile | T1636.003 | Contact List Sub-technique | Exodus Two can download the address book.CitationSWB Exodus March 2019 |
| Mobile | T1512 | Video Capture | Exodus Two can take pictures with the device cameras.CitationSWB Exodus March 2019 |
| Mobile | T1407 | Download New Code at Runtime | |
| Mobile | T1422 | System Network Configuration Discovery | Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.CitationSWB Exodus March 2019 |
| Mobile | T1429 | Audio Capture | Exodus Two can record audio from the compromised device's microphone and can record call audio in 3GP format.CitationSWB Exodus March 2019 |
| Mobile | T1636.004 | SMS Messages Sub-technique | Exodus Two can capture SMS messages.CitationSWB Exodus March 2019 |
| Mobile | T1509 | Non-Standard Port | Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.CitationSWB Exodus March 2019 |
| Mobile | T1421 | System Network Connections Discovery | Exodus Two collects a list of nearby base stations.CitationSWB Exodus March 2019 |
| Mobile | T1430 | Location Tracking | Exodus Two can extract the GPS coordinates of the device.CitationSWB Exodus March 2019 |
| Mobile | T1636.002 | Call Log Sub-technique | Exodus Two can exfiltrate the call log.CitationSWB Exodus March 2019 |
| Mobile | T1533 | Data from Local System | Exodus Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.CitationSWB Exodus March 2019 |
| Mobile | T1513 | Screen Capture | Exodus Two can take screenshots of any application in the foreground.CitationSWB Exodus March 2019 |
| Mobile | T1418 | Software Discovery | Exodus Two can obtain a list of installed applications.CitationSWB Exodus March 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a7611c2cb525… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SWB Exodus March 2019
Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.
Open source URL -
[2]
Exodus One
(Citation: SWB Exodus March 2019)
-
[3]
Exodus Two
(Citation: SWB Exodus March 2019)
-
[4]
mitre-attack S0405Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.