McAfee Mobile Research Team uncovers a new Android backdoor named Xamalicious.
Developed using the Xamarin framework, it exploits accessibility permissions for malicious actions.
Gathers metadata about the device and contacts a command-and-control (C2) server for a second-stage payload.
Dynamically injects the second stage as an assembly DLL at runtime for full control.
Capable of performing fraudulent actions like clicking on ads and installing apps without user consent.
Identified in 25 apps, some available on the official Google Play Store since mid-2020.
Estimated installations exceed 327,000, with a focus on users in Brazil, Argentina, U.K., Australia, U.S., Mexico, Europe, and the Americas.
Examples include Essential Horoscope, 3D Skin Editor for PE Minecraft, Logo Maker Pro, Auto Click Repeater, and more.
Xamalicious uses Xamarin to provide an additional layer of obfuscation, avoiding detection by security vendors.
Encrypts communication and data transmission between C2 and infected device using RSA-OAEP with JWE.
Xamalicious contains functions to self-update the main Android package (APK) file without user interaction.
Can potentially transform into spyware or banking trojan.
McAfee links Xamalicious to an ad-fraud app named Cash Magnet, suggesting revenue generation through ad clicks.
Google Play Protect safeguards users against the malware, issuing warnings and automatic uninstallation if already installed.
Users attempting to install an app with Xamalicious receive a warning, and the installation is blocked.
Simultaneously, a phishing campaign targets Indian users via social messaging apps, distributing rogue APK files.
Apps impersonate legitimate banks like State Bank of India (SBI), capturing credentials and sensitive information.
The harvested data facilitates unauthorized transactions by threat actors.