A new Android backdoor has been discovered with potent capabilities to carry out a range of malicious actions on infected devices.
Dubbed Xamalicious by the McAfee Mobile Research Team, the malware is so named for the fact that it’s developed using an open-source mobile app framework called Xamarin and abuses the operating system’s accessibility permissions to fulfill its objectives.
It’s also capable of gathering metadata about the compromised device and contacting a command-and-control (C2) server to fetch a second-stage payload, but only after determining if it fits the bill.
The second stage is “dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps, among other actions financially motivated without user consent,” security researcher Fernando Ruiz said.
The cybersecurity firm said it identified 25 apps that come with this active threat, some of which were distributed on the official Google Play Store since mid-2020. The apps are estimated to have been installed at least 327,000 times.
Discover the secret tactics hackers use to become admins, how to detect and block it before it’s too late. Register for our webinar today.
A majority of the infections have been reported in Brazil, Argentina, the U.K., Australia, the U.S., Mexico, and other parts of Europe and the Americas. Some of the apps are listed below –
Xamalicious, which typically masquerades as health, games, horoscope, and productivity apps, is the latest in a long list of malware families that abuse Android’s accessibility services, requesting users’ access to it upon installation to carry out its tasks.
“To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it’s encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm,” Ruiz noted.
Even more troublingly, the first-stage dropper contains functions to self-update the main Android package (APK) file, meaning it can be weaponized to act as spyware or banking trojan without any user interaction.
McAfee said it identified a link between Xamalicious and an ad-fraud app named Cash Magnet, which facilitates app download and automated clicker activity to illicitly earn revenue by clicking on ads.
“Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets,” Ruiz said.
The disclosure comes as the cybersecurity company detailed a phishing campaign that employs social messaging apps like WhatsApp to distribute rogue APK files that impersonate legitimate banks such as the State Bank of India (SBI) and prompt the user to install them to complete a mandatory Know Your Customer (KYC) procedure.
Once installed, the app asks the user to grant it SMS-related permissions and redirects to a fake page that only captures the victim’s credentials but also their account, credit/debit card, and national identity information.
The harvested data, alongside the intercepted SMS messages, are forwarded to an actor-controlled server, thereby allowing the adversary to complete unauthorized transactions.
It’s worth noting that Microsoft last month warned of a similar campaign that utilizes WhatsApp and Telegram as distribution vectors to target Indian online banking users.
“India underscores the acute threat posed by this banking malware within the country’s digital landscape, with a few hits found elsewhere in the world, possibly from Indian SBI users living in other countries,” researchers Neil Tyagi and Ruiz said.