The cybersecurity firm McAfee has discovered a previously undetected Android backdoor called ‘Xamalicious‘ that has affected an estimated 338,300 devices. The malware found its way onto users' devices through 14 apps available on the official app store, Google Play, with the most downloaded apps reaching 100,000 installs each. McAfee, collaboratively working within the App Defense Alliance, identified the infected applications and reported their findings for remedial action.
Analysis and Impact of Malware
Xamalicious is a sophisticated backdoor attack embedded within certain Android applications. It uses the Xamarin framework, an open-source platform that allows developers to build Android and iOS apps using .NET. The backdoor exists in the form of two Dynamic Link Libraries (DLLs), ‘Core.dll' and ‘GoogleService.dll'. Upon installation, the malware requests access to Accessibility Services, which grants it a range of permissions including executing navigation gestures, hiding elements on the screen, and self-granting additional privileges.
The infiltration by Xamalicious goes further. Once installed, it communicates with a command and control (C2) server, awaiting instructions to fetch a secondary payload, ‘cache.bin'. The execution of this phase depends on several conditions like the user's location, network parameters, configuration of the device, and its root status.
The activity of Xamalicious may include the execution of ad fraud via an app named ‘Cash Magnet,' which clicks ads and installs adware unbeknownst to the user, to generate revenue for the attackers. This exploitation results in diminished device performance and could potentially use up network bandwidth.
Preventive Measures and User Safety
While Google Play conducts security checks to limit the upload of malicious apps, threats like Xamalicious can sometimes slip through the cracks. In light of such risks, Android users are urged to exercise caution by only downloading applications from official sources, limiting app downloads to essential use, thoroughly reviewing user feedback and researching developers before installing any app.
Most of the detected infections have been installed on devices located in the United States, Germany, Spain, the U.K., Australia, Brazil, Mexico, and Argentina. Android users who have downloaded apps from the affected list since mid-2020 may still have active infections and are recommended to perform manual scans and cleanup to ensure their devices are not compromised.
While the malicious apps identified by McAfee have been removed from Google Play, there is continuous vigilance required as similar malicious apps might appear on unofficial and less regulated third-party app stores, often distributed as Android package (APK) files.