New Sneaky Xamalicious Android Malware Hits Over 327,000 Devices

We Keep you Connected

New Sneaky Xamalicious Android Malware Hits Over 327,000 Devices

A new Android backdoor has been discovered with potent capabilities to carry out a range of malicious actions on infected devices.
Dubbed Xamalicious by the McAfee Mobile Research Team, the malware is so named for the fact that it’s developed using an open-source mobile app framework called Xamarin and abuses the operating system’s accessibility permissions to fulfill its objectives.
It’s also capable of gathering metadata about the compromised device and contacting a command-and-control (C2) server to fetch a second-stage payload, but only after determining if it fits the bill.
The second stage is “dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps, among other actions financially motivated without user consent,” security researcher Fernando Ruiz said.
The cybersecurity firm said it identified 25 apps that come with this active threat, some of which were distributed on the official Google Play Store since mid-2020. The apps are estimated to have been installed at least 327,000 times.
Discover the secret tactics hackers use to become admins, how to detect and block it before it’s too late. Register for our webinar today.
A majority of the infections have been reported in Brazil, Argentina, the U.K., Australia, the U.S., Mexico, and other parts of Europe and the Americas. Some of the apps are listed below –
Xamalicious, which typically masquerades as health, games, horoscope, and productivity apps, is the latest in a long list of malware families that abuse Android’s accessibility services, requesting users’ access to it upon installation to carry out privileged actions, including granting additional permissions to itself as required.
“To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it’s encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm,” Ruiz noted.
Even more troublingly, the first-stage dropper contains functions to self-update the main Android package (APK) file, meaning it can be weaponized to act as spyware or banking trojan without any user interaction.
McAfee said it identified a link between Xamalicious and an ad-fraud app named Cash Magnet, which facilitates app download and automated clicker activity to illicitly earn revenue by clicking on ads.
“Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets,” Ruiz said.
In a statement shared with The Hacker News, Google said Play Protect safeguards Android users against the malware both on and off the Play Store.
“If a user already had one of these apps known to contain the malware installed, the user received a warning and it was automatically uninstalled from their device,” the company added. “If a user tries to install an app with this identified malware, they’ll get a warning and the app will be blocked from being installed.”
The disclosure comes as the cybersecurity company detailed a phishing campaign that employs social messaging apps like WhatsApp to distribute rogue APK files that impersonate legitimate banks such as the State Bank of India (SBI) and prompt the user to install them to complete a mandatory Know Your Customer (KYC) procedure.
Once installed, the app asks the user to grant it SMS-related permissions and redirects to a fake page that not only captures the victim’s credentials but also their account, credit/debit card, and national identity information.
The harvested data, alongside the intercepted SMS messages, are subsequently forwarded to an actor-controlled server, thereby allowing the adversary to complete unauthorized transactions.
It’s worth noting that Microsoft last month warned of a similar campaign that utilizes WhatsApp and Telegram as distribution vectors to target Indian online banking users.
“India underscores the acute threat posed by this banking malware within the country’s digital landscape, with a few hits found elsewhere in the world, possibly from Indian SBI users living in other countries,” researchers Neil Tyagi and Ruiz said.
(The story was updated after publication to include a statement from Google.)
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE