A new Android backdoor malware called Xamalicious has recently been discovered by the McAfee Mobile Research Team [1] [3]. This malware specifically targets Android users and exploits the accessibility permissions of the Android operating system to gain control of infected devices.

Description

Xamalicious [1] [2] [3] [4], developed using the Xamarin mobile app framework [1] [3] [4], is a concerning malware that has been found in 25 apps, some of which were distributed on the official Google Play Store since 2020 [3] [4]. These apps have been estimated to have been installed at least 327,000 times [3]. The majority of infections have been reported in Brazil [3] [4], Argentina [3] [4], the UK [3], Australia [3] [4], the US [3], Mexico [3] [4], and other parts of Europe and the Americas [3] [4]. Xamalicious disguises itself as various types of apps [1], including health, games [3] [4], horoscope [3] [4], and productivity apps [3] [4].

Once installed, Xamalicious can gather metadata about the device and establish communication with a command-and-control server to fetch a second-stage payload [1] [3]. This payload enables the malware to take full control of the device [2] [3], allowing it to perform actions such as clicking on ads and installing apps without the user’s consent [3]. To further complicate matters, Xamalicious encrypts all communication and data transmitted between the infected device and the command-and-control server [1], making it difficult to detect and analyze the malware’s activities. Additionally, Xamalicious has the ability to self-update its main Android package file, allowing it to act as spyware or a banking trojan without any user interaction [3] [4].

McAfee has also identified a connection between Xamalicious and an ad-fraud app called Cash Magnet [3], suggesting a financial motivation behind the malware. The use of non-java code frameworks like Xamarin by the malware authors is intentional, as it helps them avoid detection and stay under the radar of security vendors [3].

In a separate incident [3], a phishing campaign targeting Indian users has been discovered [3]. This campaign utilizes popular social messaging apps like WhatsApp to distribute rogue APK files that impersonate legitimate banks [3]. Once installed, the app requests SMS-related permissions and redirects users to a fake page designed to capture their credentials [3], account information [3], credit/debit card details [3], and national identity information [3]. The harvested data and intercepted SMS messages are then sent to a server controlled by the attackers, allowing unauthorized transactions to take place [3]. While this banking malware campaign primarily affects users in India [3], there have been a few instances reported in other countries as well [3].

Conclusion

The discovery of Xamalicious and the phishing campaign targeting Indian users highlight the need for increased vigilance and security measures to protect against such threats. The widespread distribution of Xamalicious through legitimate app stores and its ability to evade detection pose significant risks to Android users. Similarly, the sophisticated phishing campaign targeting banking information emphasizes the importance of user awareness and caution when interacting with suspicious apps or messages. It is crucial for users to stay informed about the latest threats and to implement strong security measures to safeguard their devices and personal information.

References

[1] https://vulners.com/thn/THN:998F98A5D6CA0F75E0D47AF988826F00
[2] https://www.pcrisk.com/removal-guides/28670-xamalicious-malware-android
[3] https://thehackernews.com/2023/12/new-sneaky-xamalicious-android-malware.html
[4] https://pledgetimes.com/xamalicious-android-malware-infects-327000-devices/