{
	"id": "9fed2886-d5c6-4362-a6e5-0f72b653b6d4",
	"created_at": "2026-04-06T00:22:09.766685Z",
	"updated_at": "2026-04-10T03:20:27.476385Z",
	"deleted_at": null,
	"sha1_hash": "ffbedc5c8812b3575d3d2ff6d8c9931d03583845",
	"title": "XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 681921,
	"plain_text": "XLoader Android Spyware and Banking Trojan Distributed via\r\nDNS Spoofing\r\nBy By: Trend Micro Apr 20, 2018 Read time: 5 min (1359 words)\r\nPublished: 2018-04-20 · Archived: 2026-04-05 18:45:21 UTC\r\nWe have been detecting a new wave of network attacks since early March, which, for now, are targeting Japan,\r\nKorea, China, Taiwan, and Hong Kong. The attacks use Domain Name System (DNS) cache poisoning/DNS\r\nspoofing, possibly through infringement techniques such as brute-force or dictionary attacks, to distribute and\r\ninstall malicious Android apps. Trend Micro detects these as ANDROIDOS_XLOADER.HRX.\r\nThese malware pose as legitimate Facebook or Chrome applications. They are distributed from polluted DNS\r\ndomains that send a notification to an unknowing victim’s device. The malicious apps can steal personally\r\nidentifiable and financial data and install additional apps. XLoader can also hijack the infected device (i.e., send\r\nSMSs) and sports self-protection/persistence mechanisms through device administrator privileges.\r\nhttps://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nPage 1 of 11\n\nhttps://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nPage 2 of 11\n\nFigure 1. Screenshot of the fake Facebook and Chrome apps (highlighted)\r\nFigure 2. XLoader’s infection chain\r\nInfection Chain\r\nAs with our earlier reports in late March, the attack chain involves diverting internet traffic to attacker-specified\r\ndomains by compromising and overwriting the router’s DNS settings. A fake alert will notify and urge the user to\r\naccess the malicious domain and download XLoader.\r\nhttps://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nPage 3 of 11\n\nFigure 3. Screenshot of the fake notification on a spoofed/poisoned domain\r\nTechnical Analysis\r\nXLoader first loads the encrypted payload from Assets/db as test.dex to drop the necessary modules then requests\r\nfor device administrator privileges. Once granted permission, it hides its icon from the launcher application list\r\nthen starts a service that it keeps running in the background. The background service uses the reflection technique\r\n(a feature that allows the inspection and modification of Java-based programs’ internal properties) to invoke the\r\nmethod com.Loader.start in the payload.\r\nhttps://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nPage 4 of 11\n\nFigure 4. Code snippet showing the main malicious module invoked via the reflection technique\r\nMonitoring Broadcast Events\r\nXLoader registers many broadcast receivers in the payload dynamically (to monitor broadcast events sent between\r\nsystem and applications). Registering broadcast receivers enable XLoader to trigger its malicious routines. Here is\r\na list of broadcast actions:\r\nandroid.provider.Telephony.SMS_RECEIVED\r\nandroid.net.conn.CONNECTIVITY_CHANGE\r\nandroid.intent.action.BATTERY_CHANGED\r\nandroid.intent.action.USER_PRESENT\r\nandroid.intent.action.PHONE_STATE\r\nandroid.net.wifi.SCAN_RESULTS\r\nandroid.intent.action.PACKAGE_ADDED\r\nandroid.intent.action.PACKAGE_REMOVED\r\nandroid.intent.action.SCREEN_OFF\r\nandroid.intent.action.SCREEN_ON\r\nandroid.media.RINGER_MODE_CHANGED\r\nandroid.sms.msg.action.SMS_SEND\r\nandroid.sms.msg.action.SMS_DELIVERED\r\nCreating a Web Server to Phish\r\nXLoader creates a provisional web server to receive the broadcast events. It can also create a simple HTTP server\r\non the infected device to deceive victims. It shows a web phishingnews- cybercrime-and-digital-threats page\r\nhttps://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nPage 5 of 11\n\nwhenever the affected device receives a broadcast event (i.e., if a new package is installed or if the device’s screen\r\nis on) to steal personal data, such as those keyed in for banking apps. The phishing page is translated in Korean,\r\nJapanese, Chinese, and English, which are hardcoded in the payload. It will appear differently to users depending\r\non the language set on the device.\r\nFigure 5. Screenshot of the phishing page (in Japanese)\r\nXLoader as Spyware and Banking Trojan\r\nXLoader can also collect information related to usage of apps installed in the device. Its data-stealing capabilities\r\ninclude collecting SMSs after receiving an SMS-related broadcast event and covertly recording phone calls.\r\nXLoader can also hijack accounts linked to financial or game-related apps installed on the affected device.\r\nhttps://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nPage 6 of 11\n\nFigure 6. Code Snippet showing how XLoader records phone calls\r\nXLoader can also start other attacker-specified packages. A possible attack scenario involves replacing legitimate\r\napps with repackaged or malicious versions. By monitoring the package installation broadcast event, XLoader can\r\nstart their packages. This enables it to launch malicious apps without the user’s awareness and explicit consent.\r\nWe reverse engineered XLoader and found that it appears to target South Korea-based banks and game\r\ndevelopment companies. XLoader also prevents victims from accessing the device’s settings or using a known\r\nantivirus (AV) app in the country.\r\nXLoader can also load multiple malicious modules to receive and execute commands from its remote command-and-control (C\u0026C) server, as shown below:\r\nhttps://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nPage 7 of 11\n\nFigure 7. Screenshot showing XLoader’s malicious modules\r\nHere’s a list of the modules and their functions:\r\nsendSms — send SMS/MMS to a specified address\r\nsetWifi — enable or disable Wi-Fi connection\r\ngcont — collect all the device’s contacts\r\nlock — currently just an input lock status in the settings (pref) file, but may be used as a screenlocking\r\nransomware\r\nbc — collect all contacts from the Android device and SIM card\r\nsetForward — currently not implemented, but can be used to hijack the infected device\r\ngetForward — currently not implemented, but can be used to hijack the infected device\r\nhasPkg — check the device whether a specified app is installed or not\r\nsetRingerMode — set the device’s ringer mode\r\nsetRecEnable — set the device’s ringer mode as silent\r\nreqState — get a detailed phone connection status, which includes activated network and Wi-Fi (with or\r\nwithout password)\r\nshowHome — force the device’s back to the home screen\r\ngetnpki: get files/content from the folder named NPKI (contains certificates related to financial\r\ntransactions)\r\nhttp — access a specified network using HttpURLConnection\r\nonRecordAction — simulate a number-dialed tone\r\ncall — call a specified number\r\nget_apps — get all the apps installed on the device\r\nshow_fs_float_window — show a full-screen window for phishing\r\nOf note is XLoader’s abuse of the WebSocket protocol (supported in many browsers and web applications) via\r\nws(WebSockets) or wss(WebSockets over SSL/TLS) to communicate with its C\u0026C servers. The URLs  — abused as\r\npart of XLoader’s C\u0026C — are hidden in three webpages, and the C\u0026C server that  XLoader connects to differ per\r\nregion.\r\nThe abuse of the WebSocket protocol provides XLoader with a persistent connection between clients and servers\r\nwhere data can be transported any time. XLoader abuses the MessagePack (a data interchange format) to package\r\nthe stolen data and exfiltrate it via the WebSocket protocol for faster and more efficient transmission.\r\nhttps://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nPage 8 of 11\n\nFigure 8. Screenshot showing one of the web pages with hidden C\u0026C-related URL\r\nFigure 9. Code snippet showing how XLoader parses the C\u0026C URL\r\nMitigations\r\nXLoader will not download malicious apps if the Android device uses a mobile data connection. Nevertheless,\r\nusers should practice proper security hygienenews article to mitigate threats that may take advantage of a home or\r\nbusiness router’s security gaps. Employ stronger credentials, for instance, to make them less susceptible to\r\nunauthorized access. Regularly update and patch the router’s software and firmware to prevent exploits, and\r\nenable its built-in firewall.\r\nFor system administrators and information security professionals, configuring the router to be more resistant to\r\nattacks like DNS cache poisoningnews- cybercrime-and-digital-threats can help mitigate similar threats. Everyday\r\nusers can do the same by checking the router’s DNS settings if they’ve been modified. Even threats like DNS\r\ncache poisoning employ social engineering, so users should also be more prudentnews article against suspicious\r\nor unknown messages that have telltale signs of malware.\r\nhttps://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nPage 9 of 11\n\nWe have worked with Google and they ensure that Google Play Protect proactively catches apps of this nature. No\r\ninstances of these apps were found in Google Play.\r\nTrend Micro Solutions\r\nTrend Micro™ Mobile Securityproducts blocks malicious apps that may exploit this vulnerability. End users and\r\nenterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy,\r\nand safeguard them from ransomware, fraudulent websites, and identity theft.\r\nFor organizations, Trend Micro™ Mobile Security for Enterpriseproducts provides device, compliance and\r\napplication management, data protection, and configuration provisioning. It also protects devices from attacks that\r\nleverage vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and access to\r\nfraudulent websites.\r\nTrend Micro’s Mobile App Reputation Service (MARS) covers Android threats using leading sandbox and\r\nmachine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks,\r\nand application vulnerability.\r\nIndicators of Compromise\r\nHashes detected as ANDROIDOS_XLOADER.HRX (SHA-256):\r\nHash Package Label\r\n0F49416B6BCB6E755D 999255FABB4C77C5EA\r\n7DEDEB7E6CDB0925C 4F23C1FB00E\r\nfddf.tre.hjgdsgkh Chrome\r\n958135E163E0518F24F BD1AF6EF18C30E30C1\r\nA4DFB383FF47D111930 55D4CDCE\r\nfghdf.rtghj.hjkh Chrome\r\nC65318AA58C9091B938 948B62C4B5D6E472376\r\n97D8D2F96863F99EF17 7B6818D\r\nghd.et.hds Chrome\r\n62312475CF0EC1ED66F A29938C30D029BA2F02\r\nBCD6B6ED5AC6C0E5DB E3626BF6\r\ngfhd.rewq.cvxbdf Chrome\r\n17D1415176121AFF8C0020 C3A094B3D72F9802F5145\r\nC80EBCA47DCFE10CC21F6\r\ngfdg.qwe.gsdg Facebook\r\n1849E8DFD9D1C03DBE6C 1464F9B05492012A6C14A0\r\nA5B63FEB938F1C8B70309B\r\njfgh.rtw.ghm Facebook\r\nAC0C7F59859B5DC3ACBC3 BACA6A6B0FD6ECD05375\r\nD06995D7E28D3F6CB36322A\r\ngwer.dfdf.cxv Facebook\r\nB623DA28673A1934BD61DE A94A88C37E5FBE9999ED3\r\nD6BA311176D65F64C4A4D\r\nertt.fgh.nfg Facebook\r\nhttps://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nPage 10 of 11\n\n4232B36C2B306A47B6C67D 5D949349024F57CDBC4516\r\n3A2CA7B7DEE304229C2B\r\ngfdg.qwe.gsdg Facebook\r\nB8FB1857881F20E8E3223E 390E13E6DD97D47CABB81\r\n870D51421C04631D63FC1\r\nertt.fgh.nfg Facebook\r\nAA183FDA57FDE0137AB931 F3729215956E6F9EE158D90\r\nED82151948F70DB841B\r\ndfg67.as44f.cvx87df Facebook\r\nB125EA78FB390950893D14 6A51F513440314BE7648207\r\nB59E5D0A1752740F273\r\njfgh.rtw.ghm Facebook\r\n6690FBA689E5AE957E0D01 565BA8F849E0F6AA214F2F\r\n93535D1A7C9C75030BD3\r\nertt.fgh.nfg Facebook\r\nE690C05F2AB668A661CD21 9E324291819D5F5646775C2\r\nA17F3B3A03E79332A04\r\ntryrt.sdf.bfd Facebook\r\n4E32493E6C87B0E2EF3E6A E32F5C32D75AE36C92524A\r\n185EABC88FEA3C7938C8\r\nfddf.tre.hjgdsgkh Facebook\r\n82D7A496091BD8B0435359 BAFC9E7C923CF09BE58D3\r\nECC9C477E29E541811582\r\ntrghj.asdf.cvxebdf Facebook\r\nE1FB10B714420F23F1BB09B 6C4C55B674B6EFD93685EE\r\n7D1D4574C7FA8B39A94\r\ntrghj.asdf.cvxebdf Facebook\r\nCC2617D7D904986B83BAF7 843DB6969151363000678E8\r\nDA599EDBF6CF23CB827\r\njfgh.rtw.ghm Facebook\r\n3698DF22E8A4656FC53BD2 BDE2DA74DD9DA90083481\r\n29347D5D3E6F976FABA6C\r\ntrghj.asdf.cvxebdf Facebook\r\n065E266016A15BB639C31D 49511DBCD0ADC83261D03\r\nC6652DFBFCAB611B9DB53\r\ntrghj.asdf.cvxebdf Facebook\r\n6F20F227F79DEBFDAE322 33B59F4DC15C7FAF05036B\r\n21E8CD46B24EBC52F0BF8\r\ngfdg.qwe.gsdg Facebook\r\nA4031768A9F1AEB227389E DD99140303420F3A45F0C1\r\n36D3863C703C685CDEF1\r\ntryrt.sdf.bfd Facebook\r\n7E49B7C6ED359B4E910E8D 4D2C9436D99CDDEB7F9AF\r\n2E2F1082D0CA45D469566\r\njfgh.rtw.ghm Facebook\r\nSource: https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nhttps://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html"
	],
	"report_names": [
		"xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434929,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ffbedc5c8812b3575d3d2ff6d8c9931d03583845.pdf",
		"text": "https://archive.orkl.eu/ffbedc5c8812b3575d3d2ff6d8c9931d03583845.txt",
		"img": "https://archive.orkl.eu/ffbedc5c8812b3575d3d2ff6d8c9931d03583845.jpg"
	}
}