Roid malware infects devices to take full control for various illicit purposes like:-.
By gaining complete control, threat actors can exploit the device for their illicit activities, posing significant threats to:-.
It employs social engineering for accessibility privileges and communicates with the C2 server.
Second-stage payload dynamically injected as assembly DLL, which takes full control for:-.
Xamarin usage allows long-term activity, hiding malicious code in the APK build process.
The custom encryption and the obfuscation techniques were used for communication and data exfiltration.
Around 25 malicious apps carry the threat, some on Google Play since mid-2020.
Roid/Xamalicious detected on at least 327,000 devices, remains highly active.
Roid/Xamalicious trojans disguise as apps from the following categories that are available in third-party markets:-.
Unlike previous Xamarin-based malware, Xamalicious is distinct in its implementation.
All the accessibility services need to be activated manually after several OS warnings.
Malware varies from traditional Java or ELF Android code and the original.
NET, compiled into DLL, LZ4 compressed, and embedded in BLOB or /assemblies directory.
Some variants obfuscate DLLs, while others retain the original code.
After acquiring accessibility permissions, the malware contacts the server for the second-stage payload. Xamalicious malware checks the victim's device info, like apps and rooting status, via system commands.
If rooted or connected via ADB, it skips the second-stage payload download. Here below, we have mentioned the types of information that are collected by the malware:-.
With the help of RSA-OAEP and HTTPS, the Xamalicious encrypts all the data to evade detection.
If the C2 infrastructure is available, then the hardcoded RSA keys in the DLL enable decryption.
The C&C encrypts DLL with AES and device-specific key, the device decrypts the token, and then the 'URL,' parameter with a custom AES key unique to device details.
Here below, we have mentioned all the malicious apps detected:-.
This Cyber News was published on gbhackers.com. Publication date: Tue, 26 Dec 2023 15:13:05 +0000