ClickCease MoqHao Evolution Poses Immense Threat to Android Users

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

MoqHao Evolution Poses Immense Threat to Android Users

Wajahat Raja

February 20, 2024 - TuxCare expert team

Cybersecurity threat experts have recently discovered a new variant of the malware named XLoader, commonly known as MoqHao, that has the ability to automatically infect devices without any user interaction. Being termed the MoqHao evolution, this is a new version of the infamous android malware that has been long linked with Roaming Mantis, a financially motivated group of hackers based in China.

In this article, we will explore the background of MoqHao Evolution in detail and see how it operates differently from its earlier variants.


MoqHao Evolution – A Timeline

MoqHao is a mobile-based android threat that is used for phishing purposes and first appeared as a
cybersecurity threat in 2015. Threat actors behind the malware-initiated attacks based on phishing activities through SMS, also referred to as “smishing,” in Asia. The major locations that were the target of MoqHao were Japan, South Korea, and Bangladesh. 

However, it later moved to European countries as well, like France and Germany. This received the attention of many cybersecurity threat experts. They deemed it as a serious threat to users because this notorious Android malware had robbed thousands of users by tricking them. 

Recent reports have mentioned that this Android malware now operates in 27 regional languages. This is a considerable increase from the 4 regional languages at the start, and highlights the widespread nature of the target users.

What Has Changed In MoqHao?

The biggest difference between the previous variants of this
Android malware and the latest one is that it now does not need user interaction to infect the device. The earlier variants needed the user to launch this malware manually. After the user clicks on the installation link that is received through their phone’s SMS app, this new cybersecurity threat leads to the automatic execution of malicious code.

How The Evolved MoqHao Operates?

Understanding how the malware operates is essential for
developing cybersecurity strategies. It masks itself as legitimate apps like the Chrome web browser by employing Unicode strings. However, if users are careful enough, they can identify it as the name of the software appears slightly different. For example, “Chrome” will appear as “chrome”. 

Once the malware is installed, it tricks the user into granting hazardous permissions over different apps and notifications. MoqHao asks the users to make the malicious application their default messaging app, meaning that it could operate in the background. 

Such permissions allow the malware to carry out malicious actions without raising any red flags. The landing URLs and phishing messages are extracted by this malware through the user’s Pinterest profile. Also, it has the capability to execute a wide array of commands such as:

  • get_photo: transmission of user’s photos to its server.
  • gcont: transfer of the user’s contact list to the control server.
  • get_photo: Collection of data related to the device’s identifiers, such as sim numbers.
  • sendSms: sending malicious messages through impersonation.  


Data leaks and
cybersecurity threats have become an increasing concern for the general public in recent years. The MoqHao evolution poses a greater threat of phishing across the globe. Given the severity of the attacks and their aftermath, implementing proactive cybersecurity measures is essential as it can help safeguard against such threats and improve the overall security posture. 

The sources for this piece include articles in McAfee and BleepingComputer.


MoqHao Evolution Poses Immense Threat to Android Users
Article Name
MoqHao Evolution Poses Immense Threat to Android Users
Know everything about MoqHao Evolution and learn how to protect your devices from this Android malware capable of automatic code execution.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter