Over 330,000 Android devices have fallen victim to a previously unknown malware dubbed “Xamalicious,” researchers at McAfee revealed, highlighting the vulnerability of even the official Google Play Store to malicious actors. The malware masqueraded as seemingly harmless apps like horoscopes and skin editors, tricking unsuspecting users into downloading and installing it.
Key Highlights:
- 14 infected apps identified on Google Play, some surpassing 100,000 downloads.
- Xamalicious functions as a backdoor, granting attackers remote access to compromised devices.
- Potential for ad fraud and data theft not ruled out.
- Apps removed from Google Play, but existing infections require manual cleanup.
- Increased vigilance and caution urged when downloading apps.
McAfee, a member of the App Defense Alliance, uncovered the Xamalicious threat while monitoring app activity on Google Play. The malware, disguised within seemingly innocuous apps like “Essential Horoscope for Android” and “3D Skin Editor for PE Minecraft,” managed to evade initial security checks and slip onto the official app store.
Technical Details:
- Xamalicious is a .NET-based backdoor hidden within apps built using the Xamarin framework. This makes it more challenging to detect than traditional Java-based malware.
- The malware utilizes two core libraries: “Core.dll” and “GoogleService.dll,” masquerading as legitimate components for app functionality.
- Once activated, Xamalicious establishes communication with a remote server using hardcoded IP addresses and encryption techniques.
Once installed, Xamalicious operates as a backdoor, establishing a covert communication channel between the infected device and the attacker’s server. This grants malicious actors the ability to:
- Steal sensitive data like login credentials, financial information, and personal files.
- Install additional malware for further compromising the device.
- Perform unauthorized actions such as sending spam messages or making fraudulent calls.
- Monitor user activity and track their online behavior.
While the full extent of Xamalicious’ capabilities is still under investigation, researchers suspect its involvement in ad fraud schemes. The malware might be capable of automatically clicking on ads and installing adware to generate revenue for its operators.
The good news is that Google has responded swiftly and removed all identified Xamalicious-infected apps from the Play Store. However, existing infections remain a concern. Users who downloaded any of the following apps since mid-2020 are advised to immediately uninstall them and run a reputable security scan:
- Essential Horoscope for Android
- 3D Skin Editor for PE Minecraft
- Logo Maker Pro
- Auto Click Repeater
- Count Easy Calorie Calculator
- Dots: One Line Connector
- Sound Volume Extender
This incident underscores the importance of practicing good app hygiene when using Android devices. Download apps only from trusted sources, carefully review app permissions before granting them, and keep your device and security software up-to-date.
