New Xamalicious Android malware installed 330k times on Google Play

A previously unknown Android backdoor named 'Xamalicious' has infected approximately 338,300 devices via malicious apps on Google Play, Android's official app store.
McAfee, a member of the App Defense Alliance, discovered 14 infected apps on Google Play, with three having 100,000 installs each.
Even though the apps have since been removed from Google Play, users who installed them since mid-2020 might still carry active Xamalicious infections on their phones, requiring manual scans and cleanup.
A separate set of 12 malicious apps carrying the Xamalicious threat, for which download stats aren't available, are distributed on unofficial third-party app stores, infecting users via downloadable APK files.
According to McAfee's telemetry data, most infections were installed on devices in the United States, Germany, Spain, the U.K., Australia, Brazil, Mexico, and Argentina.
Xamalicious is a.NET-based Android backdoor embedded within apps developed using the open-source Xamarin framework, making the analysis of its code more challenging.
It communicates with the C2 server to fetch the second-stage DLL payload if specific geographical, network, device configuration, and root status prerequisites are met.
GeoInfo: Determines the device's geographic location using its IP address, collecting ISP name, organization, services, and a fraud score to detect non-genuine users.
EmuInfo: Lists adbProperties to ascertain if the client is a real device or an emulator, checking CPU, memory, sensors, USB configuration, and ADB status.
RootInfo: Identifies if the device is rooted using various methods and provides the rooting status.
Packages: Lists all system and third-party apps installed on the device using system commands.
GetURL: Requests the second-stage payload from the C2 server by providing the Android ID and receives the status and potentially an encrypted assembly DLL. McAfee has also found links between Xamalicious and an ad-fraud app called 'Cash Magnet,' which automatically clicks ads and installs adware on the victim's device to generate revenue for its operators.
It's possible that Xamalicious also performs ad fraud on infected devices, diminishing processor performance and network bandwidth.
Although Google Play isn't immune to malware uploads, initiatives like the App Defense Alliance aim to detect and remove novel threats that appear on the app store, which isn't the case on unofficial and poorly moderated platforms.
Roid users should avoid downloading apps from third-party sources, limit themselves to essential apps, thoroughly read user reviews before installation, and conduct a comprehensive background check on the app's developer/publisher to limit malware infections on their mobile devices.
Google Play adds security audit badges for Android VPN apps.
Avast confirms it tagged Google app as malware on Android phones.
Huawei, Vivo phones tag Google app as TrojanSMS-PA malware.
Roid malware Chameleon disables Fingerprint Unlock to steal PINs.
Ten new Android banking trojans targeted 985 bank apps in 2023.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 27 Dec 2023 15:55:12 +0000


Cyber News related to New Xamalicious Android malware installed 330k times on Google Play

New Xamalicious Android malware installed 330k times on Google Play - A previously unknown Android backdoor named 'Xamalicious' has infected approximately 338,300 devices via malicious apps on Google Play, Android's official app store. McAfee, a member of the App Defense Alliance, discovered 14 infected apps on Google ...
10 months ago Bleepingcomputer.com
The Limitations of Google Play Integrity API - This overview outlines the history and use of Google Play Integrity API and highlights some limitations. We also compare and contrast Google Play Integrity API with the comprehensive mobile security offered by Approov. Google provides app attestation ...
11 months ago Securityboulevard.com
More Android apps riddled with malware spotted on Google Play - An Android remote access trojan known as VajraSpy was found in 12 malicious applications, six of which were available on Google Play from April 1, 2021, through September 10, 2023. The malicious apps, which have now been removed from Google Play but ...
9 months ago Bleepingcomputer.com
Android 15, Google Play get new anti-malware and anti-fraud features - Today, Google announced new security features coming to Android 15 and Google Play that will help block scams, fraud, and malware apps on users' devices. Announced at Google I/O 2024, the new features are designed not only to help end users but also ...
6 months ago Bleepingcomputer.com
Over 90 malicious Android apps with 5.5M installs found on Google Play - Over 90 malicious Android apps were found installed over 5.5 million times through Google Play to deliver malware and adware, with the Anatsa banking trojan seeing a recent surge in activity. Anatsa is a banking trojan that targets over 650 ...
5 months ago Bleepingcomputer.com
Android XLoader malware can now auto-execute after installation - A new version of the XLoader Android malware was discovered that automatically executes on devices it infects, requiring no user interaction to launch. XLoader, aka MoqHao, is an Android malware operated and likely created by a financially motivated ...
9 months ago Bleepingcomputer.com
Google tests blocking side-loaded Android apps with risky permissions - Google has launched a new pilot program to fight financial fraud by blocking the sideloading of Android APK files that request access to risky permissions. An APK is a file format used to distribute Android apps for installation in the operating ...
9 months ago Bleepingcomputer.com
Google shares fix for Pixel phones hit by bad system update - Google has shared a temporary fix for owners of Google Pixel devices that were rendered unusable after installing the January 2024 Google Play system update. As previously reported by BleepingComputer, after the January 2024 Google Play system ...
9 months ago Bleepingcomputer.com
Malware abuses Google OAuth endpoint to 'revive' cookies, hijack accounts - Session cookies are a special type of browser cookie that contains authentication information, allowing a person to automatically log in to websites and services without entering their credentials. These types of cookies are meant to have a limited ...
10 months ago Bleepingcomputer.com
SpyLoan Android malware on Google Play downloaded 12 million times - More than a dozen malicious loan apps, which are generically named SpyLoan, have been downloaded more than 12 million times this year from Google Play but the count is much larger since they are also available on third-party stores and suspicious ...
11 months ago Bleepingcomputer.com
PixPirate: The Brazilian financial malware you can't see, part one - The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan malware that heavily utilizes anti-research techniques. Within IBM Trusteer, we saw several different ...
9 months ago Securityintelligence.com
Bigpanzi botnet infects 170,000 Android TV boxes with malware - A previously unknown cybercrime syndicate named 'Bigpanzi' has been making significant money by infecting Android TV and eCos set-top boxes worldwide since at least 2015. Beijing-based Qianxin Xlabs reports that the threat group controls a ...
10 months ago Bleepingcomputer.com
Android Malware Actively Infecting Devices to Take Full Control - Roid malware infects devices to take full control for various illicit purposes like:-. By gaining complete control, threat actors can exploit the device for their illicit activities, posing significant threats to:-. It employs social engineering for ...
10 months ago Gbhackers.com
Google promises a rescue patch for Android 14's "ransomware" bug - So Android 14 has this pretty horrible storage bug for upgrading users. Bugs are always going to happen, but the big problem with this is that Google has seemingly been ignoring it, and on Friday we wrote about how users have been piling up hundreds ...
11 months ago Arstechnica.com
New Wave of 'Anatsa' Banking Trojans Targets Android Users in Europe - The campaign has been ongoing for at least four months and is the latest salvo from the operators of the malware, which first surfaced in 2020 and has previously notched victims in the US, Italy, United Kingdom, France, Germany, and other countries. ...
9 months ago Darkreading.com
Google says spyware vendors behind most zero-days it discovers - Commercial spyware vendors were behind 80% of the zero-day vulnerabilities Google's Threat Analysis Group discovered in 2023 and used to spy on devices worldwide. Zero-day vulnerabilities are security flaws the vendors of impacted software do not ...
9 months ago Bleepingcomputer.com
PixPirate Android malware uses new tactic to hide on phones - The latest version of the PixPirate banking trojan for Android employs a new method to hide on phones while remaining active, even if its dropper app has been removed. PixPirate is a new Android malware first documented by the Cleafy TIR team last ...
8 months ago Bleepingcomputer.com
Google Groups is ending support for Usenet to combat spam - Google has officially announced it's ceasing support for Usenet groups on its Google Groups platform, a move partly attributed to the platform's increasing struggle with spam content. The upcoming changes will take effect from February 22, 2024, ...
10 months ago Bleepingcomputer.com
Android adware apps on Google Play amass two million installs - Several malicious Google Play Android apps installed over 2 million times push intrusive ads to users while concealing their presence on the infected devices. In their latest monthly mobile threat report, Doctor Web's analysts identified trojans on ...
11 months ago Bleepingcomputer.com
Google: Malware abusing API is standard token theft, not an API issue - Google is downplaying reports of malware abusing an undocumented Google Chrome API to generate new authentication cookies when previously stolen ones have expired. In late November 2023, BleepingComputer reported on two information-stealing malware ...
10 months ago Bleepingcomputer.com
Avast confirms it tagged Google app as malware on Android phones - Czech cybersecurity company Avast confirmed that its antivirus SDK has been flagging a Google Android app as malware on Huawei, Vivo, and Honor smartphones since Saturday. On affected devices, users were warned to immediately uninstall the Google app ...
11 months ago Bleepingcomputer.com
Google Online Security Blog: I/O 2024: What's new in Android security and privacy - As their tactics evolve in sophistication and scale, we continually adapt and enhance our advanced security features and AI-powered protections to help keep Android users safe. Today, we're announcing more new fraud and scam protection features ...
6 months ago Security.googleblog.com
Types of Malware and How To Prevent Them - Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. Even if you've downloaded a VPN for internet browsing, our in-depth guide discusses the 14 ...
4 months ago Pandasecurity.com
Google Search bug shows blank page in Firefox for Android - Users of the Firefox browser for Android have been reporting that they are seeing a blank page when trying to load the main Google Search site. A report of the issue on GitHub confirms that the problem is reproducible on Firefox Mobile 121.0 for ...
10 months ago Bleepingcomputer.com
Snowblind malware abuses Android security feature to bypass security - A novel Android attack vector from a piece of malware tracked as Snowblind is abusing a security feature to bypass existing anti-tampering protections in apps that handle sensitive user data. Snowblind's goal is to repackage a target app to make them ...
4 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)