New sneaky Xamalicious Android malware affects more than 327,000 devices

Sneaky Xamalicious Android Malware

A new Android backdoor has been discovered with powerful capabilities to perform a range of malicious actions on infected devices.

Dubbed Xamalicious The McAfee Mobile Research Team has named the malware due to the fact that it is developed using an open-source mobile app framework called Xamarin and abuses the operating system’s accessibility rights to achieve its objectives.

It is also capable of collecting metadata about the affected device and contacting a command-and-control (C2) server to retrieve a second-stage payload, but only after determining whether it is compliant .

The second stage is “dynamically injected as an assembly DLL at the runtime level to take full control of the device and potentially perform fraudulent actions such as clicking ads, installing apps, and other financially motivated actions without permission of the user,” says security researcher Fernando Ruiz. said.

The cybersecurity firm said it has identified 25 apps associated with this active threat, some of which have been distributed through the official Google Play Store since mid-2020. The apps are estimated to have been installed at least 327,000 times.

The majority of infections have been reported in Brazil, Argentina, the UK, Australia, the US, Mexico and other parts of Europe and the Americas. Some of the apps are mentioned below –

  • Essential Horoscope for Android (com.anomenforyou.essentialhoroscope)
  • 3D Skin Editor for PE Minecraft (com.littleray.skineditorforpeminecraft)
  • Logo Maker Pro (com.vyblystudio.dotslinkpuzzles)
  • Auto Click Repeater (
  • Count Easy Calorie Calculator (com.lakhinstudio.counteasycaloriecalculator)
  • Sound Volume Expander (com.muranogames.easyworkoutsathome)
  • LetterLink (com.regaliusgames.llinkgame)
  • Step Keeper: Simple Pedometer (com.browgames.stepkeepereasymeter)
  • Track your sleep (com.shvetsStudio.trackYourSleep)
  • Sound Volume Booster (com.devapps.soundvolumebooster)
  • Astrological Navigator: Daily Horoscope & Tarot (com.Osinko.HoroscopeTaro)
  • Universal Calculator (com.Potap64.universalcalculator)

Xamalicious, which typically masquerades as health, gaming, horoscope, and productivity apps, is the latest in a long list of malware families that abuse Android’s accessibility services and ask for users’ access upon installation to perform their tasks. to feed.

Sneaky Xamalicious Android malware

“To evade analysis and detection, malware authors have encrypted all communications and data sent between the C2 and the infected device, not only protected by HTTPS, but also encoded as a JSON web encoding (PLAY) token using RSA-OAEP with a 128CBC-HS256 algorithm,” Ruiz noted.

Even more worryingly, the dropper in its first phase includes functions to update the main Android package (APK) file itself, meaning it can be deployed to act as a spyware or banking Trojan without any user interaction.

McAfee said it has identified a link between Xamalicious and an ad fraud app called Cash Magnet, which enables app downloads and automated clicker activity to illegally generate revenue by clicking on ads.

“Android applications written in non-Java code using frameworks like Flutter, React Native, and maintain their identity.” presence in the apps market,” said Ruiz.

Sneaky Xamalicious Android malware

Android phishing campaign targets India with banking malware

The revelation comes from the cybersecurity company detailed a phishing campaign that uses social messaging apps like WhatsApp to distribute fraudulent APK files that pretend to be legitimate banks like State Bank of India (SBI) and ask the user to install them to get a mandatory Know Your Customer (KYC) procedure.

Once installed, the app asks the user to grant SMS-related permissions and redirects to a fake page that captures only the victim’s login credentials, but also their account, credit/debit card, and national identity details.

The collected data, along with the intercepted SMS messages, are forwarded to an actor-controlled server, allowing the adversary to complete unauthorized transactions.

It is worth noting that Microsoft last month warned of a similar campaign using WhatsApp and Telegram as distribution vectors to target Indian online banking users.

“India underlines the acute threat this banking malware poses within the country’s digital landscape, with a few hits elsewhere in the world, possibly from Indian SBI users living in other countries,” said researchers Neil Tyagi and Ruiz.

#sneaky #Xamalicious #Android #malware #affects #devices

Notify of
Inline Feedbacks
View all comments
Previous Post
Poorly secured Linux SSH servers are under attack for cryptocurrency mining

Poorly secured Linux SSH servers are under attack for cryptocurrency mining

Next Post
Zero-Day in Barracuda's ESG Appliances

Chinese Hackers Exploited New Zero-Day in Barracuda’s ESG Devices

Related Posts