{
	"id": "42fe32c7-1f75-4fc5-b296-f67d66cf2ae4",
	"created_at": "2026-04-06T00:11:24.042596Z",
	"updated_at": "2026-04-10T03:21:43.972589Z",
	"deleted_at": null,
	"sha1_hash": "53f73425065caa19f35e97856cea0252a2819347",
	"title": "XLoader Disguises as Android Apps, Has FakeSpy Links",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83749,
	"plain_text": "XLoader Disguises as Android Apps, Has FakeSpy Links\r\nBy By: Hara Hiroaki, Lilang Wu, Lorin Wu Apr 02, 2019 Read time: 6 min (1602 words)\r\nPublished: 2019-04-02 · Archived: 2026-04-05 14:04:56 UTC\r\nIn previous attacks, XLoader posed as Facebook, Chrome and other legitimate applications to trick users into downloading\r\nits malicious app. Trend Micro researchers found a new variant that uses a different way to lure users. This new XLoader\r\nvariant poses as a security app for Android devices, and uses a malicious iOS profile to affect iPhone and iPad devices.\r\nAside from a change in its deployment techniques, a few changes in its code set it apart from its previous versions. This\r\nnewest variant has been labeled XLoader version 6.0 (detected as AndroidOS_XLoader.HRXD), following the last version\r\ndiscussed in a previous research on the malware family.\r\nInfection chain\r\nintel\r\nThe threat actors behind this version used several fake websites as their host — copying that of a Japanese mobile phone\r\noperator’s website in particular — to trick users into downloading the fake security Android application package (APK).\r\nMonitoring efforts on this new variant revealed that the malicious websites are spread through smishing. The infection has\r\nnot spread very widely at the time of writing, but we’ve seen that many users have already received its SMS content.\r\nintel\r\nFigure 1. Screenshot of a fake website that hosts XLoader\r\nIn the past, XLoader showed the ability to mine cryptocurrency on PCs and perform account phishing on iOS devices. This\r\nnew wave also presents unique attack vectors based on the kind of device it has accessed.\r\nIn the case of Android devices, accessing the malicious website or pressing any of the buttons will prompt the download of\r\nthe APK. However, successfully installing this malicious APK requires that the user has allowed the installation of such apps\r\nas controlled in the Unknown Sources settings. If users allow such apps to be installed, then it can be actively installed on\r\nthe victim’s device.\r\nThe infection chain is slightly more roundabout in the case of Apple devices. Accessing the same malicious site would\r\nredirect its user to another malicious website (hxxp://apple-icloud[.]qwq-japan[.]com or hxxp://apple-icloud[.]zqo-japan[.]com) that prompts the user to install a malicious iOS configuration profile to solve a network issue preventing the\r\nsite to load. If the user installs the profile, the malicious website will open, revealing it to be an Apple phishing site, as seen\r\nin figure 2.\r\nintel\r\nFigure 2. Screenshots of the malicious websites for iOS device user\r\nTechnical analysis\r\nMost of this new attack’s routines are similar to those of the previous XLoader versions. However, as mentioned earlier, an\r\nanalysis of this new variant showed some changes in its code in line with its new deployment method. We discuss these\r\nchanges and its effect on Android and Apple devices.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/\r\nPage 1 of 6\n\nMalicious APK\r\nLike its previous versions, XLoader 6.0 abuses social media user profiles to hide its real C\u0026C addresses, but this time its\r\nthreat actors chose the social media platform Twitter, which was never used in previous attacks. The real C\u0026C address is\r\nencoded in the Twitter names, and can only be revealed once decoded. This adds an extra layer against detection. The code\r\nfor this characteristic and the corresponding Twitter accounts can be seen in figures 3 and 4 respectively.\r\nintel\r\nFigure 3. Code snippets showing XLoader 6.0 abusing twitter to hide the real C\u0026C address\r\nintel\r\nFigure 4. Malicious Twitter pages that hide the real C\u0026C address\r\nVersion 6.0 also adds a command called “getPhoneState”, which collects unique identifiers of mobile devices such as IMSI,\r\nICCID, Android ID, and device serial number. This addition is seen in Figure 5. Considering the other malicious behaviors\r\nof XLoader, this added operation could be very dangerous as threat actors can use it to perform targeted attacks.\r\nintel\r\nFigure 5. Code snippets that show XLoader 6.0 adding a new C\u0026C command, getPhoneState\r\nMalicious iOS profile\r\nIn the case of Apple devices, the downloaded malicious iOS profile gathers the following:\r\nUnique device identifier (UDID)\r\nInternational Mobile Equipment Identity (IMEI)\r\nIntegrated Circuit Card ID (ICCID)\r\nMobile equipment identifier (MEID)\r\nVersion number\r\nProduct number\r\nThe profile installations differ depending on the iOS. For versions 11.0 and 11.4, the installation is straightforward. If a user\r\nvisits the profile host website and allows the installer to download, the iOS system will go directly to the “Install Profile”\r\npage (which shows a verified safety certificate), and then request the users’ passcode for the last step of installation.\r\nintel\r\nFigure 6. Installation process for iOS 11.0 and iOS 11.4\r\nOn later versions, specifically iOS 12.1.1 and iOS 12.2, the process is different. After the profile is downloaded, the iOS\r\nsystem will first ask users to review the profile in their settings if they want to install it. Users can see a “Profile\r\nDownloaded” added in their settings (this feature is in iOS 12.2, but not on iOS 12.1.1). This gives users a chance to see\r\ndetails and better understand any changes made. After the review, the process is the same as above.\r\nintel\r\nFigure 7. Installation process for iOS 12.1.1 and iOS 12.2\r\nAfter the profile is installed, the user will then be redirected to another Apple phishing site. The phishing site uses the\r\ngathered information as its GET parameter, allowing the attacker to access the stolen information.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/\r\nPage 2 of 6\n\nintel\r\nFigure 8. Code snippet showing how the profile gathers information\r\nOngoing activity\r\nWhile monitoring this particular threat, we found another XLoader variant posing as a pornography app aimed at South\r\nKorean users. The \"porn kr sex\" APK connects to a malicious website that runs XLoader in the background. The website\r\nuses a different fixed twitter account (https://twitter.com/fdgoer343). This attack, however, seems exclusive to Android\r\nusers, as it does not have the code to attack iOS devices.\r\nintel\r\nFigure 9. Screenshot of pornography website used by the new XLoader variant\r\nSucceeding monitoring efforts revealed a newer variant that exploits the social media platforms Instagram and Tumblr\r\ninstead of Twitter to hide its C\u0026C address. We labeled this new variant XLoader version 7.0, because of the different\r\ndeployment method and its use of the native code to load the payload and hide in Instagram and Tumblr profiles. These\r\nmore recent developments indicate that XLoader is still evolving.\r\nAdding connections to FakeSpy\r\nWe have been seeing activity from XLoader since 2018, and have since followed up our initial findings with a detailed\r\nresearch revealing a wealth of activity dating back to as early as January 2015, which outlined a major discovery—its\r\nconnection to FakeSpy. The emergence of XLoader 6.0 does not only indicate that the threat actors behind it remain active;\r\nit also holds fresh evidence of its connection to FakeSpy.\r\nOne such immediately apparent connection was the similar deployment technique used by both XLoader 6.0 and FakeSpy. It\r\nhad again cloned a different legitimate Japanese website to host its malicious app, similar to what FakeSpy had also done\r\nbefore. Their similarity is made more apparent by looking at their naming method for downloadable files, domain structure\r\nof fake websites and other details of their deployment techniques, exemplified in figure 10.\r\nintel\r\nFigure 10. Source code for malicious websites used by XLoader (left) and FakeSpy (right)\r\nXLoader 6.0 also mirrors the way FakeSpy hides its real C\u0026C server. When before it had used several different social media\r\nplatforms, it now uses the Twitter platform, something FakeSpy has done in its past attacks. Analysis of the malicious iOS\r\nprofile also revealed further connections, as the profile can also be downloaded from a website that FakeSpy deployed early\r\nthis year.\r\nConclusion and security recommendations\r\nThe continued monitoring of XLoader showed how its operators continuously changed its features, such as its attack vector\r\ndeployment infrastructure and deployment techniques. This newest entry seems to indicate that these changes won’t be\r\nstopping soon. Being aware of this fact can help create defensive strategies, as well as prepare for upcoming attacks.\r\nIn addition, just as uncovering new characteristics is important, finding ones we’ve also seen in a different malware family\r\nlike FakeSpy also provides valuable insight. Links between XLoader and FakeSpy can give clues to the much broader inner\r\nworkings of the threat actors behind them.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/\r\nPage 3 of 6\n\nPerhaps more information on XLoader will be known in the future. For now, users can make the best of the knowledge they\r\nhave now to significantly reduce the effectivity of such malware. Users of iOS can remove the malicious profile using the\r\nApple Configurator 2open on a new tab, Apple’s official iOS helper app for managing Apple devices. Following simple best\r\npracticesnews article, like strictly downloading applications or any files from trusted sources and being wary of unsolicited\r\nmessages, can also prevent similar attacks from compromising devices.\r\nTrend Micro Solutions\r\nUsers can take advantage of Trend Micro™ Mobile Security for Android™products (available on Google Playopen on a\r\nnew tab) to block malicious apps that may exploit this vulnerability. End users and enterprises can also benefit from its\r\nmultilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent\r\nwebsites, and identity theft. For organizations, Trend Micro™ Mobile Security for Enterpriseproducts provides device,\r\ncompliance and application management, data protection, and configuration provisioning. It also protects devices from\r\nattacks that leverage vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and access to\r\nfraudulent websites.\r\nIndicators of Compromise\r\nSHA256 Package\r\nApp\r\nlabel\r\n332e68d865009d627343b89a5744843e3fde4ae870193f36b82980363439a425 ufD.wykyx.vlhvh\r\nSEX kr\r\nporn\r\n403401aa71df1830d294b78de0e5e867ee3738568369c48ffafe1b15f3145588 ufD.wyjyx.vahvh\r\n佐川急\r\n便\r\n466dafa82a4460dcad722d2ad9b8ca332e9a896fc59f06e16ebe981ad3838a6b com.dhp.ozqh Facebook\r\n5022495104c280286e65184e3164f3f248356d065ad76acef48ee2ce244ffdc8 ufD.wyjyx.vahvh\r\nAnshin\r\nScan\r\na0f3df39d20c4eaa410a61a527507dbc6b17c7f974f76e13181e98225bda0511 com.aqyh.xolo\r\n佐川急\r\n便\r\ncb412b9a26c1e51ece7a0e6f98f085e1c27aa0251172bf0a361eb5d1165307f7 jp.co.sagawa.SagawaOfficialApp\r\n佐川急\r\n便\r\nMalicious URLs:\r\nhxxp://38[.]27[.]99[.]11/xvideo/\r\nhxxp://apple-icloud[.]qwe-japan[.]com\r\nhxxp://apple-icloud[.]qwq-japan[.]com/\r\nhxxp://apple-icloud[.]zqo-japan[.]com/\r\nhxxp://files.spamo[.]jp/佐川急便.apk\r\nhxxp://mailsa-qae[.]com\r\nhxxp://mailsa-qaf[.]com\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/\r\nPage 4 of 6\n\nhxxp://mailsa-qau[.]com\r\nhxxp://mailsa-qaw[.]com\r\nhxxp://mailsa-wqe[.]com\r\nhxxp://mailsa-wqo[.]com\r\nhxxp://mailsa-wqp[.]com\r\nhxxp://mailsa-wqq[.]com\r\nhxxp://mailsa-wqu[.]com\r\nhxxp://mailsa-wqw[.]com\r\nhxxp://nttdocomo-qae[.]com\r\nhxxp://nttdocomo-qaq[.]com\r\nhxxp://nttdocomo-qaq[.]com/aa\r\nhxxp://nttdocomo-qar[.]com\r\nhxxp://nttdocomo-qat[.]com\r\nhxxp://nttdocomo-qaw[.]com\r\nhxxp://sagawa-reg[.]com/\r\nhxxp://www[.]711231[.]com\r\nhxxp://www[.]759383[.]com\r\nhxxp://www[.]923525[.]com\r\nhxxp://www[.]923915[.]com\r\nhxxp://www[.]975685[.]com\r\nMalicious Twitter accounts:\r\nhttps://twitter.com/lucky88755\r\nhttps://twitter.com/lucky98745\r\nhttps://twitter.com/lucky876543\r\nhttps://twitter.com/luckyone1232\r\nhttps://twitter.com/sadwqewqeqw\r\nhttps://twitter.com/gyugyu87418490\r\nhttps://twitter.com/fdgoer343\r\nhttps://twitter.com/sdfghuio342\r\nhttps://twitter.com/asdqweqweqeqw\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/\r\nPage 5 of 6\n\nhttps://twitter.com/ukenivor3\r\nMalicious Instagram account:\r\nhttps://www.instagram.com/freedomguidepeople1830/\r\nMalicious Tumblr accounts:\r\nhttps://mainsheetgyam.tumblr.com/\r\nhttps://hormonaljgrj.tumblr.com/\r\nhttps://globalanab.tumblr.com/\r\nC\u0026C addresses:\r\n104[.]160[.]191[.]190:8822\r\n61[.]230[.]204[.]87:28833\r\n61[.]230[.]204[.]87:28844\r\n61[.]230[.]204[.]87:28855\r\n61[.]230[.]205[.]122:28833\r\n61[.]230[.]205[.]122:28844\r\n61[.]230[.]205[.]122:28855\r\n61[.]230[.]205[.]132:28833\r\n61[.]230[.]205[.]132:28844\r\n61[.]230[.]205[.]132:28855\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-li\r\nnks-to-fakespy/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"
	],
	"report_names": [
		"new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy"
	],
	"threat_actors": [],
	"ts_created_at": 1775434284,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53f73425065caa19f35e97856cea0252a2819347.pdf",
		"text": "https://archive.orkl.eu/53f73425065caa19f35e97856cea0252a2819347.txt",
		"img": "https://archive.orkl.eu/53f73425065caa19f35e97856cea0252a2819347.jpg"
	}
}