In a recent alarming revelation, cybersecurity researchers at McAfee have identified a new Android backdoor malware, ominously dubbed ‘Xamalicious.’ This insidious threat has stealthily infiltrated approximately 338,300 devices, exploiting unsuspecting users through malicious apps cunningly hosted on the Google Play Store. The discovery raises significant concerns regarding the security landscape of Android devices. The malware, discreetly nestled within 14 affected apps, managed to amass a considerable user base, with three of them tallying up to 100,000 installs each before prompt removal from the Google Play Store. While these apps are no longer accessible on the Play Store, users who inadvertently downloaded them are strongly urged to expeditiously remove the applications from their devices.
Identifying and Addressing the Menace
Users who installed the affected apps since mid-2020 may still harbor Xamalicious infections on their devices, necessitating a manual cleanup. McAfee recommends a meticulous examination of devices for any remnants of the malware, advising users to scrutinize their app lists, device settings, and any suspicious activities that may have transpired.
The identified Xamalicious-affected Android apps include popular titles such as:
- Essential Horoscope for Android (100,000 installs)
- 3D Skin Editor for PE Minecraft garnered a user base of 100,000 installations.
- Logo Maker Pro (100,000 installs)
- Auto Click Repeater (10,000 installs)
- Count Easy Calorie Calculator (10,000 installs)
- Dots: One Line Connector (10,000 installs)
- Sound Volume Extender (5,000 installs)
Furthermore, beyond the confines of the Google Play Store, a separate cluster of 12 malicious apps harboring the Xamalicious threat has emerged on unauthorized third-party app repositories. These apps pose a substantial risk to users who engage in APK file downloads outside the sanctioned Google Play Store environment.
The Complex Anatomy of Xamalicious
What sets Xamalicious apart is its foundation on the.NET framework and its integration into apps developed using the open-source Xamarin framework. This architectural choice presents a formidable challenge for cybersecurity analysts, complicating traditional code analysis efforts. Upon installation, Xamalicious strategically targets the Accessibility Service, granting it privileged access for executing navigation gestures, concealing on-screen elements, and acquiring additional permissions.
The malware then establishes communication with a Command and Control (C2) server, fetching a second-stage DLL payload (‘cache.bin’). This retrieval hinges on specific conditions, including geographical location, network conditions, device configuration, and root status. In light of this discovery, Android users are strongly advised to conduct thorough checks for Xamalicious infections, employing reputable antivirus software for manual cleanup. Regular device scans are recommended to fortify defenses against emerging malware threats, ensuring a secure mobile experience for users worldwide.