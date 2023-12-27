A new Android backdoor (malware), called Xamalicious was discovered with enormous capabilities to perform a variety of malicious actions on infected devices.

What experts say about Xamalicious

Named Xamalicious by the McAfee Mobile Research Team, the malware is so named because it is developed using an open source mobile app framework called Xamarin and abuses the operating system's accessibility permissions to achieve its goals.

It can also collect metadata about the compromised device and contact a server command and control (C2) to retrieve a second-level payload, but only after checking whether it is suitable.

The second stage of Xamalicious comes “dynamically injected as a DLL assembly at the runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps, among other actions for financial purposes without the user's consent“, has said security researcher Fernando Ruiz.

The cybersecurity firm said it has identified 25 apps that have this active threat, some of which have been distributed on the official Google Play Store since 2020, and it is estimated that the apps have been installed at least 327,000 times.

Most infections have been reported in Brazil, Argentina, the United Kingdom, Australia, the United States, Mexico and other parts of Europe and the Americas, therefore here some of the apps are listed below:

Essential Horoscope for Android (com.anomenforyou.essentialhoroscope)

(com.anomenforyou.essentialhoroscope) 3D Skin Editor for PE Minecraft (com.littleray.skineditorforpeminecraft)

(com.littleray.skineditorforpeminecraft) Logo Maker Pro (com.vyblystudio.dotslinkpuzzles)

(com.vyblystudio.dotslinkpuzzles) Auto Click Repeater (com.autoclickrepeater.free)

(com.autoclickrepeater.free) Count Easy Calorie Calculator (com.lakhinstudio.counteasycaloriecalculator)

(com.lakhinstudio.counteasycaloriecalculator) Sound Volume Extender (com.muranogames.easyworkoutsathome)

(com.muranogames.easyworkoutsathome) LetterLink (com.regaliusgames.llinkgame)

(com.regaliusgames.llinkgame) NUMEROLOGY: PERSONAL HOROSCOPE & NUMBER PREDICTIONS (com.Ushak.NPHOROSCOPENUMBER)

(com.Ushak.NPHOROSCOPENUMBER) Step Keeper: Easy Pedometer (com.browgames.stepkeepereasymeter)

(com.browgames.stepkeepereasymeter) Track Your Sleep (com.shvetsStudio.trackYourSleep)

(com.shvetsStudio.trackYourSleep) Sound Volume Booster (com.devapps.soundvolumebooster)

(com.devapps.soundvolumebooster) Astrological Navigator: Daily Horoscope & Tarot (com.Osinko.HoroscopeTaro)

(com.Osinko.HoroscopeTaro) Universal Calculator (com.Potap64.universalcalculator)

Xamalicious, which usually masquerades as health, games, horoscopes and productivity apps, is the latest in a long list of malware families who abuse Android accessibility servicesrequiring access from users upon installation to carry out its tasks.

“To evade analysis and detection, the malware authors encrypted all communications and data transmitted between the C2 and the infected device, not only protected by HTTPS, but encrypted as a JSON Web Encryption encryption token (JWE) using RSA-OAEP with a 128CBC-HS256 algorithm“, Ruiz then argued.

Even more worrying, the first stage dropper contains functions for auto-updating the main Android package (APK) filewhich means it can be used as a spyware or banking Trojan without any user interaction.

McAfee said it had identified a link between Xamalicious and an ad fraud app called Cash Magnet, which facilitates app downloads and auto-clicking activities to earn illicitly by clicking on ads.

“Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin they can provide an ag layer

obfuscation device for malware authors who intentionally choose these tools to avoid detection and try to stay under the radar of security vendors and maintain their presence in app markets“Ruiz said.

Android phishing campaign targets India with banking malware

Linked to this malware there is a disclosure that happens as the cybersecurity firm details a phishing campaign that uses social messaging apps like WhatsApp to distribute fake APK files impersonating legitimate banks like State Bank of India (SBI) and trick the user into installing them to complete a mandatory Know Your Customer (KYC) process.

Once installed, the app asks the user to grant SMS permissions and redirects to a fake page that not only captures victim's credentialsbut also account, credit/debit card and national identity information.

The collected data, along with the intercepted SMS messages, are forwarded to a server controlled by the actor, allowing the adversary to complete unauthorized transactions.

It is important to note that Microsoft has warned last month of a similar campaign using WhatsApp and Telegram as distribution vectors to target Indian online banking users.

“India highlights the acute threat posed by this banking malware to the country's digital landscape, with few hits found elsewhere in the world, probably from Indian SBI users [banca nazionale dell’India] who live in other countries“said researchers Neil Tyagi and Ruiz.