December 27, 2023 at 11:00AM
Summary:
An Android backdoor, ‘Xamalicious,’ infected over 338,300 devices through malicious apps on Google Play. Though removed, infected users need manual scans. The backdoor was embedded in popular apps, and additional malware-infected devices via unofficial app stores. The backdoor accessed sensitive data, may have ad fraud capabilities, and highlights the risks of third-party app downloads.
Summary:
The meeting notes discuss the discovery of a new Android backdoor named ‘Xamalicious’ that has infected approximately 338,300 devices through malicious apps on Google Play and unofficial third-party app stores. McAfee, a member of the App Defense Alliance, found 14 infected apps on Google Play, with three having 100,000 installs each. Although the infected apps have been removed from Google Play, users who installed them since mid-2020 may still have active Xamalicious infections on their phones, requiring manual scans and cleanup.
The most popular Xamalicious-infected apps include ‘Essential Horoscope for Android,’ ‘3D Skin Editor for PE Minecraft,’ and ‘Logo Maker Pro’ with 100,000 installs each. Additionally, a separate set of 12 malicious apps carrying the Xamalicious threat is distributed on unofficial third-party app stores.
Xamalicious is a .NET-based Android backdoor that is embedded within apps developed using the open-source Xamarin framework, making the analysis of its code more challenging. Upon installation, it requests access to the Accessibility Service, enabling privileged actions. It communicates with the C2 (command and control) server to fetch the second-stage DLL payload based on various prerequisites.
The malware is capable of executing various commands, including gathering device and hardware information, determining the device’s geographic location, identifying if the device is rooted, listing installed apps, and performing ad fraud to generate revenue for its operators.
The meeting concludes by stressing that Android users should avoid downloading apps from third-party sources, limit themselves to essential apps, thoroughly read user reviews before installation, and conduct a comprehensive background check on the app’s developer/publisher to limit malware infections on their mobile devices. Additionally, initiatives like the App Defense Alliance aim to detect and remove novel threats from the Google Play store.