A new version of the XLoader Android malware was discovered that automatically executes on devices it infects, requiring no user interaction to launch.
XLoader, aka MoqHao, is an Android malware operated and likely created by a financially motivated threat actor named 'Roaming Mantis,' previously seen targeting users in the U.S., U.K., Germany, France, Japan, South Korea, and Taiwan.
Attackers primarily distribute the malware through SMS text that contains a URL pointing to a site delivering an Android APK installation file for a mobile app.
Researchers at McAfee report that recent XLoader variants demonstrate the ability to launch automatically after installation.
This allows the malware to run stealthily in the background and siphon sensitive user information, among other things.
To further obfuscate the malicious app, Roaming Mantis employs Unicode strings to disguise the malicious APKs as legitimate software, notably, the Chrome web browser.
This impersonation is vital for the next step, which is to trick the user into approving risky permissions on the device, like sending and accessing SMS content, and to be allowed to 'always run in the background' by adding an exclusion from Android's Battery Optimization.
The fake Chrome app also asks the user to set itself as the default SMS app, claiming that doing so will help prevent spam.
XLoader's recent iteration creates notification channels to perform custom phishing attacks on the device.
Using Pinterest enables attackers to switch phishing destinations and messages on the fly without risking sending an update to the malware on the device.
If that fails, XLoader reverts to using hardcoded phishing messages that alert the user to a problem with their bank account that requires them to take action.
The malware can execute a wide array of commands received from its command and control server via the WebSocket protocol.
SendSms: Allows the malware to send SMS messages, spreading the malware or enabling phishing by impersonation.
Http: Facilitates sending HTTP requests for downloading malware, data exfiltration, or C2 communication.
Since its appearance in the mobile threat scene in 2015, XLoader has consistently evolved its attack methodologies, enhancing its stealth capabilities and effectiveness.
Considering that the malware hides under the guise of Chrome, McAfee suggests using a security product that can scan the device and uproot those threats based on known indicators.
New Xamalicious Android malware installed 330k times on Google Play.
Ten new Android banking trojans targeted 985 bank apps in 2023.
Google tests blocking side-loaded Android apps with risky permissions.
More Android apps riddled with malware spotted on Google Play.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 08 Feb 2024 18:35:06 +0000