Saturday, July 13, 2024

Android Malware Actively Infecting Devices to Take Full Control

Android malware infects devices to take full control for various illicit purposes like:- 

  • Stealing sensitive information
  • Generating unauthorized financial transactions
  • Enabling remote attacks

By gaining complete control, threat actors can exploit the device for their illicit activities, posing significant threats to:-

  • User privacy 
  • User security

Cybersecurity analysts at McAfee Mobile Research recently found an Android backdoor, “Android/Xamalicious,” using the Xamarin framework to infect devices and take full control.

Android Malware Gain Device Control

It employs social engineering for accessibility privileges and communicates with the C2 server. Second-stage payload dynamically injected as assembly DLL, which takes full control for:-

  • Ad fraud
  • App installs
  • Financially motivated actions

Researchers identified the link to the ad-fraud app “Cash Magnet,” revealing financial motivation. Xamarin usage allows long-term activity, hiding malicious code in the APK build process. 

Cash Magnet
Cash Magnet (Source – McAfee)

The custom encryption and the obfuscation techniques were used for communication and data exfiltration. Around 25 malicious apps carry the threat, some on Google Play since mid-2020. 

McAfee’s proactive measures and Google Play Protect aim to mitigate Potentially Harmful Applications. Android/Xamalicious detected on at least 327,000 devices, remains highly active.

Android/Xamalicious trojans disguise as apps from the following categories that are available in third-party markets:-

  • Health
  • Game
  • Horoscope
  • Productivity

Unlike previous Xamarin-based malware, Xamalicious is distinct in its implementation. Xamarin architecture allows .NET code interpretation on Android via Mono. 

An example app, “Numerology” prompts victims to enable accessibility services for deceptive functionality.

Tricking users into permitting accessibility services
Tricking users into permitting accessibility services (Source – McAfee)

All the accessibility services need to be activated manually after several OS warnings.

Accessibility services configuration prompt
Accessibility services configuration prompt (Source – McAfee)

Malware varies from traditional Java or ELF Android code and the original .NET, compiled into DLL, LZ4 compressed, and embedded in BLOB or /assemblies directory.

Besides this, it is loaded by ELF or DEX at runtime, reversing varies in complexity, and the code is commonly available in the following assemblies:- 

  • core.dll
  • <package-specific>.dll 

Some variants obfuscate DLLs, while others retain the original code. After acquiring accessibility permissions, the malware contacts the server for the second-stage payload.

App execution and communication with the malicious server
App execution and communication with the malicious server (Source – McAfee)

Xamalicious malware checks the victim’s device info, like apps and rooting status, via system commands. If rooted or connected via ADB, it skips the second-stage payload download.

Here below, we have mentioned the types of information that are collected by the malware:-

Data collected
Data collected (Source – McAfee)

With the help of RSA-OAEP and HTTPS, the Xamalicious encrypts all the data to evade detection. However, if the C2 infrastructure is available, then the hardcoded RSA keys in the DLL enable decryption. 

The Send() function encrypts data with a JWT and sends it to “/Updater” via HTTP POST. The decrypt() function uses a hardcoded RSA private key for C2 responses, possibly containing a second-stage payload.

Data sent to the C&C server that decides second-stage payload delivery and malware’s self-protection includes:- 

  • Rooting
  • ADB
  • SIM checks

The C&C encrypts DLL with AES and device-specific key, the device decrypts the token, and then the ‘URL,’ parameter with a custom AES key unique to device details.

Malicious apps Detected

Here below, we have mentioned all the malicious apps detected:-

Malicious apps
Malicious apps (Source – McAfee)

Countries from where users were affected

Here below, we have mentioned all the countries from where most of the users are affected:-

  • The USA
  • Brazil
  • Argentina
  • The UK
  • Spain
  • Germany


IOCs (Source – McAfee)

Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles