December 27, 2023 at 04:18AM
A new Android backdoor, Xamalicious, has been uncovered by McAfee Mobile Research Team. It leverages accessibility permissions to execute malicious actions, including retrieving a second-stage payload and taking control of devices for fraudulent activities. The threat has been associated with 25 apps and is particularly prevalent in several countries, including Brazil, Argentina, the U.K., and the U.S. The backdoor’s communication and data transmission are encrypted to evade detection, and it has the capability to self-update into spyware or banking trojan. Additionally, a phishing campaign utilizing social messaging apps and rogue APK files has been reported, targeting Indian banking users. This banking malware poses a significant risk within India’s digital landscape.
From the meeting notes, it is clear that a new Android backdoor malware named Xamalicious has been discovered. This malware is capable of carrying out a range of malicious actions on infected devices, including gathering metadata, contacting a command-and-control server, dynamically injecting a second-stage payload, and performing fraudulent activities such as clicking on ads and installing apps without user consent.
The malware has been found to be distributed through various apps, some of which were available on the official Google Play Store, resulting in at least 327,000 installations. The majority of the infections have been reported in Brazil, Argentina, the U.K., Australia, the U.S., Mexico, and other parts of Europe and the Americas, making it a widespread threat.
Furthermore, the malware authors have taken steps to evade analysis and detection by encrypting all communication and data transmitted between the command-and-control server and the infected device. It has also been identified that the first-stage dropper contains functions to self-update the main Android package file, allowing it to act as spyware or banking trojan without any user interaction.
In addition to the Xamalicious malware, there is also information about a phishing campaign targeting Indian online banking users, which employs social messaging apps like WhatsApp to distribute rogue APK files that impersonate legitimate banks, such as the State Bank of India (SBI), in order to harvest sensitive user information.
The meeting notes provide important insights into these cybersecurity threats and their potential impact, highlighting the need for increased vigilance and security measures to mitigate the risks associated with these malicious activities.