Xamalicious is a new stealth backdoor targeting Android devices. It has infected at least 25 Android apps and has affected over 300k devices.
- Xamalicious is a new stealth backdoor targeting Android devices.
- Xamalicious is unusual in that it is implemented with Xamarin, an open-source framework that allows Android and iOS apps to be built with .NET and C#.
- An unknown financially motivated threat actor appears to be responsible for Xamalicious.
- It has infected at least 25 Android apps and has affected over 300k devices.
What is Xamalicious?
Xamalicious is a new stealth backdoor targeting Android devices. McAfee recently reported on Xamalicious. An unknown financially motivated threat actor appears to be responsible for Xamalicious.
Xamalicious is unusual in that it is implemented with Xamarin, an open-source framework that allows Android and iOS apps to be built with .NET and C#. Previously, AndroSpy, which does not appear to be related to Xamalicious, also used Xamarin architecture.
Xamalicious attempts to use social engineering to gain accessibility privileges. It then contacts the C2 to determine whether to download a second-stage payload. The second stage payload is dynamically injected as an assembly DLL at runtime, allowing it to take full control of the device. This control also allows the malware to click on ads and install apps without the user's consent. Xamalicious can also collect device data, including but not limited to location, adb connectivity configuration, device brand and serial number, OS version, firmware version, and SIM information.
Since Xamalicious uses Xamarin, the malware can remain undetected for quite some time. The threat actors also encrypt all communication between the victim device and the C2 with a JWE token using RSA-OAEP with a 128CBC-HS256 algorithm.
McAfee noted there is a link between Xamalicious and the ad fraud app known as Cash Magnet. Cash Magnet is capable of installing apps, clicking ads, and performing other actions to fraudulently generate revenue.
So far, Xamalicious has reportedly infected at least 25 known Android apps, including health apps, games, horoscope apps, and productivity apps. The malware has affected over 300k devices. The majority of the infections appear to be in the US, Germany, Spain, the UK, Australia, Brazil, Mexico, and Argentina.
McAfee noted the Google Play store has removed known infected apps. However, third-party repositories are potentially still distributing the infected apps.
PolySwarm has multiple samples of Xamalicious.
You can use the following CLI command to search for all Xamalicious samples in our portal:
$ polyswarm link list -f Xamalicious
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports.