The McAfee Mobile Research Team has uncovered a sophisticated Android backdoor known as Xamalicious, implemented using Xamarin, an open-source framework for building Android and iOS apps with .NET and C#. This malware employs social engineering to gain accessibility privileges, communicating with a command-and-control server to decide whether to download a second-stage payload dynamically injected as an assembly DLL at runtime.
This second stage grants full control of the infected device, enabling potentially fraudulent activities such as ad clicking and app installations without user consent. The malware, financially motivated, exhibits a link with an ad-fraud app named “Cash Magnet,” emphasizing the developers’ profit-driven motives. Xamalicious’s second stage payload leverages accessibility services granted during the first stage, allowing it to self-update the main APK and perform various actions, including spyware or banking Trojan activities, without user interaction.
The malware’s connection to the ad-fraud app highlights its involvement in generating revenue by automatically engaging in deceptive actions. The usage of Xamarin provides a layer of obfuscation, enabling malware authors to remain active and undetected for extended periods, taking advantage of the build process for APK files as a form of hiding the malicious code. The malware authors further implemented obfuscation techniques and custom encryption to exfiltrate data and communicate with the command-and-control server.
Approximately 25 malicious apps carrying the Xamalicious threat have been identified, with some variants distributed on Google Play since mid-2020. McAfee’s proactive removal of these apps from Google Play underscores its commitment to the App Defense Alliance and the malware mitigation program, aiming to prevent the spread of potentially harmful applications. The threat’s impact is substantial, with an estimated compromise of at least 327,000 devices from Google Play installations and additional infections from third-party markets.
The prevalence of Xamalicious underscores the ongoing challenges in combating sophisticated mobile malware, emphasizing the need for users to install security software and stay vigilant against potential threats.