Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0405: Exodus

Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).[1]

MobileS0405MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Exodus is an Android spyware family described by ATT&CK as a two-stage implant: Exodus One as the dropper and Exodus Two as the payload. Its ATT&CK relationships matter because they map to broad mobile collection and surveillance behaviors, including privilege escalation, runtime code download, application and network discovery, location tracking, audio/video/screen capture, and collection of calendar, call log, contacts, SMS, local files, and stored application data. For leaders, this is a reminder that mobile risk is not only device loss; a compromised phone can expose communications, identity material, sensitive business context, and physical location.

Executive priority

Prioritize this as a mobile spyware readiness case for Android fleets, especially where executives, field staff, regulated users, or operational personnel rely on mobile devices. The decision value is to verify whether the organization can govern app installation, detect risky permission and runtime behavior, preserve mobile evidence during incidents, and demonstrate compliance controls around sensitive communications and personal data. Because ATT&CK provides no official detection text for Exodus, assurance should come from validating telemetry and response playbooks rather than assuming existing SOC coverage applies.

Technical view

Defenders should validate Android-focused coverage against the related techniques: exploitation for privilege escalation, downloading new code at runtime, software and network discovery, use of web protocols and non-standard ports, collection from local system and application data, archiving collected data, and access to microphone, camera, screen, location, calendar, call logs, contacts, and SMS. SOC and IR teams should test whether EMM/MDM, mobile threat defense, network monitoring, and device forensic processes can correlate suspicious app permissions, post-install code retrieval, unusual sensor/content-provider access, privilege or root indicators, and outbound web traffic patterns. Tactics are not specified in the supplied ATT&CK object, so detection engineering should be technique-led rather than tactic-led.

Likely telemetry

  • Android app inventory, installation source, package metadata, and application update/change history
  • Requested and granted Android permissions, especially microphone, camera, location, contacts, calendar, call log, SMS, storage, and background location where available
  • Signals of runtime code download or execution not present in the original application package
  • Mobile OS integrity, rooting, privilege escalation, exploit, or abnormal sandbox access indicators
  • Access patterns to Android content providers and local storage for contacts, SMS, call logs, calendar entries, application data, and files

Detection direction

  • Do not rely on static app vetting alone; the related Download New Code at Runtime technique means post-install behavior is a key validation point.
  • Tune detections around combinations of suspicious permissions and behavior, such as broad personal-data access plus outbound web traffic, rather than single permissions that may be legitimate for business apps.
  • Validate visibility into Android devices specifically; the ATT&CK software object platform is Android even though some related techniques also list iOS.
  • Correlate privilege escalation or root indicators with access to data that normally requires elevated privileges, such as other applications’ stored data or protected local system sources.
  • Review network analytics for web-protocol communications on unexpected ports, while accounting for legitimate mobile applications that also use HTTPS and varied cloud endpoints.

Mitigation priorities

  • Start with mobile device governance: managed Android enrollment, approved app sources, app inventory, and the ability to remove or quarantine suspicious applications.
  • Restrict and review high-risk permissions for business apps, especially microphone, camera, location, SMS, contacts, calendar, call log, and storage access.
  • Maintain Android OS and application patching to reduce exposure to privilege-escalation vulnerabilities referenced by the related technique.
  • Control or monitor applications that can download and execute code after installation, and prefer app-vetting processes that include behavioral analysis where available.
  • Ensure mobile network protections can inspect or at least log relevant outbound destination, protocol, and port metadata without assuming HTTPS traffic is benign.
Analyst notes and limits

This take is based on the official ATT&CK S0405 software object, its Android platform designation, the description of Exodus as two-stage spyware, and the supplied relationships to mobile ATT&CK techniques. The relationship list is unusually useful for scoping defensive validation because it spans privilege escalation, runtime code loading, discovery, collection, staging, and communications behaviors.

ATT&CK provides no official detection text, no specified tactics, no aliases, and no active-exploitation or victim context in the supplied fields. Local conclusions require environment-specific evidence such as managed device coverage, installed app history, permission state, network logs, and forensic artifacts. This summary should not be read as proof that Exodus is present or that any control detects it automatically.

Official MITRE ATT&CK definition

Exodus

Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

19 rows
Domain ID Name Relationship / procedure
Mobile T1636.001 Calendar Entries Sub-technique

Exodus Two can exfiltrate calendar events.[1]
Mobile T1532 Archive Collected Data

Exodus One encrypts data using XOR prior to exfiltration.[1]
Mobile T1409 Stored Application Data

Exodus Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.[1]
Mobile T1422.001 Internet Connection Discovery Sub-technique

Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.[1]
Mobile T1404 Exploitation for Privilege Escalation

Exodus Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.[1]
Mobile T1437.001 Web Protocols Sub-technique

Exodus One checks in with the command and control server using HTTP POST requests.[1]
Mobile T1636.003 Contact List Sub-technique

Exodus Two can download the address book.[1]
Mobile T1512 Video Capture

Exodus Two can take pictures with the device cameras.[1]
Mobile T1407 Download New Code at Runtime

Exodus One, after checking in, sends a POST request and then downloads Exodus Two, the second stage binaries.[1]
Mobile T1422 System Network Configuration Discovery

Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.[1]
Mobile T1429 Audio Capture

Exodus Two can record audio from the compromised device's microphone and can record call audio in 3GP format.[1]
Mobile T1636.004 SMS Messages Sub-technique

Exodus Two can capture SMS messages.[1]
Mobile T1509 Non-Standard Port

Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.[1]
Mobile T1421 System Network Connections Discovery

Exodus Two collects a list of nearby base stations.[1]
Mobile T1430 Location Tracking

Exodus Two can extract the GPS coordinates of the device.[1]
Mobile T1636.002 Call Log Sub-technique

Exodus Two can exfiltrate the call log.[1]
Mobile T1533 Data from Local System

Exodus Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.[1]
Mobile T1513 Screen Capture

Exodus Two can take screenshots of any application in the foreground.[1]
Mobile T1418 Software Discovery

Exodus Two can obtain a list of installed applications.[1]
Relationship explorer

All related ATT&CK context

uses · Technique T1636.001: Calendar Entries Mobile uses · Technique T1532: Archive Collected Data Mobile uses · Technique T1409: Stored Application Data Mobile uses · Technique T1422.001: Internet Connection Discovery Mobile uses · Technique T1404: Exploitation for Privilege Escalation Mobile uses · Technique T1437.001: Web Protocols Mobile uses · Technique T1636.003: Contact List Mobile uses · Technique T1512: Video Capture Mobile uses · Technique T1407: Download New Code at Runtime Mobile uses · Technique T1422: System Network Configuration Discovery Mobile uses · Technique T1429: Audio Capture Mobile uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1509: Non-Standard Port Mobile uses · Technique T1421: System Network Connections Discovery Mobile uses · Technique T1430: Location Tracking Mobile uses · Technique T1636.002: Call Log Mobile uses · Technique T1533: Data from Local System Mobile uses · Technique T1513: Screen Capture Mobile uses · Technique T1418: Software Discovery Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a7611c2cb5259a1a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a7611c2cb525…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    SWB Exodus March 2019

    Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    Exodus One

    (Citation: SWB Exodus March 2019)

  3. [3]
    Exodus Two

    (Citation: SWB Exodus March 2019)

  4. [4]
    mitre-attack S0405
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use