Executive Summary
Xamalicious is a new stealth backdoor targeting Android devices. It has infected at least 25 Android apps and has affected over 300k devices.
Key Takeaways
- Xamalicious is a new stealth backdoor targeting Android devices.
- Xamalicious is unusual in that it is implemented with Xamarin, an open-source framework that allows Android and iOS apps to be built with .NET and C#.
- An unknown financially motivated threat actor appears to be responsible for Xamalicious.
- It has infected at least 25 Android apps and has affected over 300k devices.
What is Xamalicious?
Xamalicious is a new stealth backdoor targeting Android devices. McAfee recently reported on Xamalicious. An unknown financially motivated threat actor appears to be responsible for Xamalicious.
Xamalicious is unusual in that it is implemented with Xamarin, an open-source framework that allows Android and iOS apps to be built with .NET and C#. Previously, AndroSpy, which does not appear to be related to Xamalicious, also used Xamarin architecture.
Xamalicious attempts to use social engineering to gain accessibility privileges. It then contacts the C2 to determine whether to download a second-stage payload. The second stage payload is dynamically injected as an assembly DLL at runtime, allowing it to take full control of the device. This control also allows the malware to click on ads and install apps without the user's consent. Xamalicious can also collect device data, including but not limited to location, adb connectivity configuration, device brand and serial number, OS version, firmware version, and SIM information.
Since Xamalicious uses Xamarin, the malware can remain undetected for quite some time. The threat actors also encrypt all communication between the victim device and the C2 with a JWE token using RSA-OAEP with a 128CBC-HS256 algorithm.
McAfee noted there is a link between Xamalicious and the ad fraud app known as Cash Magnet. Cash Magnet is capable of installing apps, clicking ads, and performing other actions to fraudulently generate revenue.
So far, Xamalicious has reportedly infected at least 25 known Android apps, including health apps, games, horoscope apps, and productivity apps. The malware has affected over 300k devices. The majority of the infections appear to be in the US, Germany, Spain, the UK, Australia, Brazil, Mexico, and Argentina.
McAfee noted the Google Play store has removed known infected apps. However, third-party repositories are potentially still distributing the infected apps.
IOCs
PolySwarm has multiple samples of Xamalicious.
22803693c21ee17667d764dd226177160bfc2a5d315e66dc355b7366b01df89b
5fffb10487e718634924552b46e717bbcbb6a4f9b1fed02483a6517f9acd2f61
7149acb072fe3dcf4dcc6524be68bd76a9a2896e125ff2dddefb32a4357f47f6
81a9a6c86b5343a7170ae5abd15f9d2370c8282a4ed54d8d28a3e1ab7c8ae88e
9c646516dd189cab1b6ced59bf98ade42e19c56fc075e42b85d597449bc9708b
A5de2dc4e6005e75450a0df0ea83816996092261f7dac30b5cf909bf6daaced0
Dfdca848aecb3439b8c93fd83f1fd4036fc671e3a2dcae9875b4648fd26f1d63
117fded1dc51eff3788f1a3ec2b941058ce32760acf61a35152be6307f6e2052
19ffe895b0d1be65847e01d0e3064805732c2867ce485dfccc604432faadc443
28a4ae5c699a7d96e963ca5ceec304aa9c4e55bc661e16c194bdba9a8ad847b7
6a3455ff881338e9337a75c9f2857c33814b7eb4060c06c72839b641b347ed36
8927ff14529f03cbb2ebf617c298f291c2d69be44a8efa4e0406dea16e53e6f9
899b0f186c20fdbfe445b4722f4741a5481cd3cbcb44e107b8e01367cccfdda3
B0b9a8e9ec3d0857b70464617c09ffffce55671b227a9fdbb178be3dbfebe8ed
E52b65fdcb77ed4f5989a69d57f1f53ead58af43fa4623021a12bc11cebe29ce
E6668c32b04d48209d5c71ea96cb45a9641e87fb075c8a7697a0ae28929913a6
e694f9f7289677adaf2c2e93ba0ac24ae38ab9879a34b86c613dd3c60a56992d
You can use the following CLI command to search for all Xamalicious samples in our portal:
$ polyswarm link list -f Xamalicious
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
