If you are an Android user, you might want to check your device for any malicious apps that could compromise your security and privacy. According to a recent report by McAfee, a leading cybersecurity company, 13 apps on the Google Play Store are infected with a malware called Xamalicious. This malware can steal your personal information, such as contacts, photos, and messages, and also perform remote tasks, such as sending SMS, making calls, and accessing the camera.
Google Android Warning: Malware Infected Apps
McAfee’s Mobile Research Team uncovered an Android backdoor named “Android/Xamalicious” that exploits the Xamarin open-source framework. Employing social engineering tactics, it seeks accessibility privileges and then communicates with a command-and-control server.
Upon approval, it downloads a second-stage payload, injecting it dynamically as an assembly DLL at runtime. This enables full device control, facilitating actions like ad clicks and app installations for financial gains without user consent.
The use of Xamarin conceals malicious activities, and obfuscation techniques further evade detection. McAfee detected around 25 malicious apps linked to Xamalicious, removed by Google. This threat, present since mid-2020, may have compromised at least 327,000 Google Play devices.
13 ‘Malicious’ Apps Identified by McAfee
Upon further analysis, McAfee found that there were 13 more apps on the Google Play Store that had the same malware signature. These apps were:
- Essential Horoscope for Android
- 3D Skin Editor for PE Minecraft
- Logo Maker Pro
- Auto Click Repeater
- Count Easy Calorie Calculator
- Sound Volume Extender
- LetterLink
- Numerology: Personal Horoscope & Number Predictions
- Step Keeper: Easy Pedometer
- Track Your Sleep
- Sound Volume Booster
- Astrological Navigator: Daily Horoscope & Tarot
- Universal Calculator
All these apps have been removed from the Google Play Store by Google after McAfee reported them. However, they might still be present on some users’ devices.
Technical Details:
Xamalicious utilizes Xamarin’s framework, staying hidden during the APK build process. The backdoor, distinct from previous Xamarin-abusing malware, employs .NET code compiled into a DLL, LZ4 compressed, and embedded in the /assemblies directory. After obtaining accessibility permissions, communication with the command-and-control server ensues, collecting device data for evaluation. Notably, Xamalicious incorporates multiple obfuscation techniques and custom encryption methods. Data transmission to the server is secured using JSON Web Encryption (JWE) tokens with hardcoded RSA key values, allowing decryption during analysis.
Payload Delivery:
Upon C2 approval, Xamalicious delivers a second-stage payload, encrypting the DLL with Advanced Encryption Standard (AES). The unique AES key, derived from the device ID, brand, model, and padding, forms multiple layers of encryption. The payload, delivered in a JSON Web Token, is decrypted at the client side, named “cache.bin,” and dynamically loaded using the Assembly.Load method.
Connection with Ad Fraud:
The research reveals a connection between Xamalicious and the ad-fraud app “Cash Magnet,” indicating financial motivations. Xamalicious samples, like “LetterLink,” were identified as versions of Cash Magnet performing ad fraud with automated clicker activities, app downloads, and other tasks. The infiltration of legitimate apps, such as “Dots: One Line Connector,” underscores the persistence of this threat.
Geographical Impact:
Xamalicious has affected users globally, with a higher concentration observed in the Americas, particularly in the USA, Brazil, and Argentina. European countries like the UK, Spain, and Germany also reported infections.
Steals Confidential Information and Performs Remote Tasks
The main purpose of the Xamalicious malware is to steal the user’s confidential information and perform remote tasks on their device. The malware can access the user’s contacts, photos, messages, call logs, location, and device information. It can also send SMS, make calls, access the camera, record audio, and download additional malicious files.
The malware communicates with a remote server, which can send commands to the infected device. The server can also update the malware or uninstall it remotely. The malware tries to evade detection by hiding its icon, using encryption, and changing its name.
How to Check for Malicious Apps on Your Android Device?
If you have downloaded any of the 13 apps mentioned above, you should uninstall them immediately and scan your device for any malware. Here are some steps you can follow to check for malicious apps on your Android device:
Uninstalling Suspicious Apps
- Go to Settings > Apps & notifications > See all apps.
- Look for any apps that have the same developer name, icon, or description as the 13 apps identified by McAfee.
- Tap on the app and select Uninstall. If the app does not have an uninstall option, it might have device administrator privileges. To revoke them, go to Settings > Security > Device admin apps and uncheck the app.
- Repeat the process for any other suspicious apps.
Running a Malware Scan
- Download and install a reputable antivirus app, such as McAfee Mobile Security, from the Google Play Store.
- Open the app and run a full scan of your device.
- Follow the instructions to remove any malware or threats detected by the app.
- You can also enable the app’s features, such as app lock, anti-theft, and web protection, to enhance your device’s security.
