Xamalicious is a new Android backdoor malware that has infected approximately 338,300 devices on Google Play. It disguises itself as legitimate apps, such as health, games, horoscopes, and productivity apps, and is distributed through third-party marketplaces. Upon installation, it requests access to the Accessibility Service, enabling it to perform privileged actions like navigation gestures, hide on-screen elements, and grant additional permissions to itself. Xamalicious is developed using an open-source mobile app framework called Xamarin, which allows building Android and iOS apps with .NET and C#. It is capable of gathering metadata about the compromised device and contacting a command-and-control (C2) server to evaluate whether or not to download a second-stage payload.
The second-stage payload is dynamically injected as an assembly DLL at runtime level to take full control of the infected device by leveraging the extensive accessibility services granted during the first stage. Xamalicious also supports a self-update mechanism for the main APK, making it a potent tool for malicious activities. The malware encrypts all C2 communications using a JSON Web Encryption (JWE) token encrypted with RSA-OAEP and a 128CBC-HS256 algorithm to evade analysis and detection. The researchers have identified a link between Xamalicious and an ad-fraud app named “Cash Magnet,” which installs apps and engages in automated clicker activity to illicitly earn revenue by clicking ads.
The malware has infected devices in the United States, Germany, Spain, the U.K., Australia, Brazil, Mexico, and Argentina. McAfee has discovered 14 infected apps on Google Play, with three having 100,000 installs each. Google has banned 13 infected Android apps, and users are advised to delete them from their phones. It is recommended that users install security software on their devices and always keep it up to date to mitigate the risks linked with these kinds of malware.
The symptoms of the Xamalicious Android malware include:
- Unusual Behavior: The malware can perform a range of fraudulent actions, such as ad fraud, which may lead to unusual behavior on the infected device, including unexpected app installations and unfamiliar ads or pop-ups.
- Degraded Performance: Infected devices may experience degraded performance, such as slowing down, due to the malware’s activities that consume device resources, such as CPU and memory.
- High Data Usage: The malware’s activities, such as ad fraud, can lead to unusually high data usage on the infected device.
These symptoms indicate a potential infection of the Xamalicious Android malware and should prompt users to take action, such as installing security software and removing any suspicious apps from their devices.
How does xamalicious android malware infect devices
Xamalicious Android malware infects devices through third-party marketplaces and disguised as legitimate apps such as health, games, horoscopes, and productivity apps. Upon installation, it requests access to the Accessibility Service, enabling it to perform privileged actions like navigation gestures, hide on-screen elements, and grant additional permissions to itself. Xamalicious relies on social engineering to gain accessibility privileges, then it connects to C2 to evaluate whether or not to download a second-stage payload. The second-stage payload is dynamically injected as an assembly DLL at runtime level to take full control of the infected device by leveraging the extensive accessibility services granted during the first stage. The malware also supports a self-update mechanism for the main APK, making it a potent tool for malicious activities.
What actions can xamalicious android malware perform on infected devices
Xamalicious Android malware can perform various actions on infected devices. Once accessibility permissions are granted, the malware initiates communication with the malicious server and collects multiple device data, including the list of installed applications, location, carrier, and network information, among others. Xamalicious can also download a second-stage payload that is dynamically injected as an assembly DLL at runtime level to take full control of the infected device by leveraging the extensive accessibility services granted during the first stage. The malware can also self-update the main APK, making it a potent tool for malicious activities. Xamalicious can perform fraudulent activities, such as ad fraud, diminishing processor performance, and network bandwidth. The malware can also steal sensitive information, such as credentials, account, credit/debit card, and national identity information.
How does xamalicious android malware collect location, carrier, and network information
The Xamalicious Android malware collects location, carrier, and network information from the infected devices. According to the McAfee Mobile Research Team, the malware can gather various device data, including location, carrier, and network information, as well as device rooting status and ADB connectivity configuration. The malware uses accessibility permissions to gain information about the device’s location, carrier, and network. It is essential for users to be cautious when downloading apps from third-party app stores, as these malicious apps can lead to the infection of their devices with malware like Xamalicious.
What are the potential risks of xamalicious android malware
The Xamalicious Android malware poses several potential risks to infected devices, including:
- Data Collection: Xamalicious gathers diverse device information, such as Android ID, operating system version, USB configuration, ADB status, device location, CPU details, and a list of installed applications.
- Second-Stage Payload: The malware can download a second-stage payload, which is dynamically injected to take complete control of the infected device, potentially leading to unauthorized access to sensitive information and engaging in fraudulent activities.
- Ad Fraud and Performance Impact: Xamalicious is linked to ad-fraud activities, potentially leading to ad clicking, diminishing processor performance, and consuming network bandwidth.
- Self-Update Mechanism: The malware supports a self-update mechanism for the main APK, making it a versatile and potent tool for malicious activities.
- Information Theft: Xamalicious can steal sensitive information, including credentials, account, credit/debit card, and national identity information.
- Distribution and Evasion: The malware is distributed through third-party marketplaces and disguises itself as legitimate apps, making it challenging to detect and evade analysis.
To mitigate these risks, it is essential for users to install security software on their devices and to be cautious when downloading apps from third-party sources.
What are the consequences of having xamalicious android malware on a device
The Xamalicious Android malware can have severe consequences on a device. It can download malicious applications, open unsafe web pages, send expensive SMS text messages, steal information such as passwords, personal information, location, and contact lists, and even lead to the theft of personal information from the device. This can result in financial losses, identity theft, and compromise of sensitive data. Additionally, more sophisticated malware can take the form of ransomware, which can lock the device and encrypt data, leading to further damage and potential financial extortion. It is crucial to use robust antivirus software, only install applications from trusted sources, and be proactive in preventing and removing malware from Android devices.
How can users protect themselves from xamalicious android malware
Users can protect themselves from Xamalicious Android malware and other malware by following these best practices:
- Download apps from trusted sources: Only download apps from official stores like Google Play and avoid third-party marketplaces where hackers can plant malware-ridden apps.
- Keep your device’s software up to date: Set your security software, internet browser, and operating system to update automatically, ensuring you benefit from the latest security patches.
- Be cautious with links in emails and text messages: Think before clicking on links in emails or text messages, as phishing attacks can lead to malware infection.
- Lock your phone: Setting up a lock screen increases the security of your Android device.
- Use strong passwords: Protect your device by using strong passwords for both the lock screen and individual apps.
- Encrypt your devices: Encrypting your devices makes it difficult for someone to hack into them and access sensitive data.
- Be cautious with Wi-Fi networks: Pay attention to the security of Wi-Fi networks you use to access data, as public networks can be insecure.
- Install robust antivirus software: Use antivirus software from trusted vendors like Kaspersky, McAfee, or Hexnode to detect, prevent, and remove malware from your Android device.
- Be proactive in removing malware: If you suspect your device has been infected with malware, use antivirus software to scan for and remove any potential threats.
By following these best practices, users can significantly reduce their risk of falling victim to Android malware, including Xamalicious.
How can users remove xamalicious android malware from their devices
To remove Xamalicious Android malware from a device, users can follow these steps:
- Turn off the device: Immediately turn off the device to prevent the malware from causing further damage.
- Boot the device in safe mode: Boot the device in safe mode to prevent the malware from running.
- Uninstall suspicious apps: Uninstall any suspicious apps that may be infected with the malware.
- Install antivirus software: Install a robust antivirus app from a trusted vendor to detect and remove the malware.
- Scan the device: Use the antivirus app to scan the device for malware and remove any detected threats.
- Clear cache and downloads: Clear the cache and downloads to remove any infected files.
- Change passwords: Change passwords for all accounts to prevent the malware from accessing sensitive information.
- Factory reset: As a last resort, perform a factory reset to remove the malware, but be aware that this will erase all data on the device.
By following these steps, users can remove Xamalicious Android malware from their devices and prevent further damage.
Sources:
https://www.hexnode.com/blogs/android-malware-how-to-stop-spot-and-remediate/
https://usa.kaspersky.com/resource-center/preemptive-safety/avoid-android-malware
https://www.computer.org/publications/tech-news/trends/advanced-tips-to-prevent-android-malware-in-2022/
https://www.esecurityplanet.com/threats/how-to-prevent-malware/
https://us.norton.com/blog/malware/how-to-remove-malware-from-android-phones
https://www.malwarebytes.com/cybersecurity/basics/how-to-clean-your-phone-from-virus
https://www.androidpolice.com/remove-virus-malware-android-phone/
https://www.devoteam.com/expert-view/preventing-mobile-malware-attacks/
https://www.mcafee.com/learn/how-to-remove-malware-from-android/
https://study.com/academy/lesson/android-malware-infection-spread-impact.html
https://www.techtarget.com/searchmobilecomputing/tip/How-to-detect-and-remove-malware-from-an-Android-device
https://www.bleepingcomputer.com/news/security/new-xamalicious-android-malware-installed-330k-times-on-google-play/
https://www.pcrisk.com/removal-guides/28670-xamalicious-malware-android
https://thehackernews.com/2023/12/new-sneaky-xamalicious-android-malware.html?m=1
https://securityaffairs.com/156514/malware/xamalicious-android-backdoor.html
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-android-xamalicious-actively-infecting-devices/
https://malwaretips.com/threads/new-sneaky-xamalicious-android-malware-hits-over-327-000-devices.127940/
