New Android Xamalicious Malware Affects 327,000 Devices: Data Theft and Financial Attacks
A new Android backdoor, named Xamalicious by the McAfee Mobile Research Team, has been discovered, posing a threat to over 327,000 devices with its malicious capabilities.
Developed using the open-source mobile app framework Xamarin, the malware exploits the operating system’s accessibility permissions to execute harmful actions.
Xamalicious can collect metadata about the compromised device and establish contact with a command-and-control (C2) server to download a second-stage payload, ensuring compatibility before execution.
The second stage is “dynamically injected as an assembly DLL at runtime to gain complete control over the device and potentially execute fraudulent actions such as clicking on ads, installing apps, among other financially motivated actions without user consent,” said security researcher Fernando Ruiz.
The cybersecurity firm identified 25 apps containing this active threat, some distributed on the official Google Play Store since 2020. These apps are estimated to have been installed at least 327,000 times.
The bulk of infections have been reported in Brazil, Argentina, the U.K., Australia, the U.S., Mexico, and various parts of Europe and the Americas. Here’s a list of some apps:
- Essential Horoscope for Android (com.anomenforyou.essentialhoroscope)
- 3D Skin Editor for PE Minecraft (com.littleray.skineditorforpeminecraft)
- Logo Maker Pro (com.vyblystudio.dotslinkpuzzles)
- Auto Click Repeater (com.autoclickrepeater.free)
- Count Easy Calorie Calculator (com.lakhinstudio.counteasycaloriecalculator)
- Sound Volume Extender (com.muranogames.easyworkoutsathome)
- LetterLink (com.regaliusgames.llinkgame)
- NUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS (com.Ushak.NPHOROSCOPENUMBER)
- Step Keeper: Easy Pedometer (com.browgames.stepkeepereasymeter)
- Track Your Sleep (com.shvetsStudio.trackYourSleep)
- Sound Volume Booster (com.devapps.soundvolumebooster)
- Astrological Navigator: Daily Horoscope & Tarot (com.Osinko.HoroscopeTaro)
- Universal Calculator (com.Potap64.universalcalculator)
Xamalicious often poses as health, gaming, horoscope, and productivity apps, joining a list of malware families abusing Android’s accessibility services, requesting access upon installation for malicious activities.
“To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, but encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm,” noted Ruiz.
More worrisome, the first-stage dropper contains functions to self-update the main Android package (APK) file, enabling it to function as spyware or a banking trojan without user interaction.
McAfee identified a link between Xamalicious and an ad-fraud app named Cash Magnet, facilitating app downloads and automated clicker activity to unlawfully generate revenue from ads.
“Android applications written in non-java code with frameworks such as Flutter, react native, and Xamarin provide an additional layer of obfuscation for malware authors who deliberately choose these tools to avoid detection and stay under security vendors’ radar, maintaining their presence on app markets,” remarked Ruiz.
This revelation arrives as the cybersecurity company detailed a phishing campaign using social messaging apps like WhatsApp to distribute rogue APK files posing as legitimate banks like the State Bank of India (SBI), prompting users to install them for a mandatory Know Your Customer (KYC) procedure.
Once installed, the app requests SMS-related permissions and redirects to a fake page, capturing victim credentials, account, credit/debit card, and national identity information.
Data gathered, alongside intercepted SMS messages, is sent to an actor-controlled server, enabling unauthorized transactions.
Microsoft previously warned of a similar campaign utilizing WhatsApp and Telegram to target Indian online banking users.
“India underscores the severe threat posed by this banking malware within the country’s digital landscape, with a few cases found elsewhere in the world, potentially from Indian SBI users living in other countries,” stated researchers Neil Tyagi and Ruiz.