New Sneaky Xamalicious Android Malware Hits Over 327,000 Devices

28.12.2023

 

A recently discovered Android backdoor named Xamalicious has been found to possess formidable capabilities, enabling it to execute various malicious actions on compromised devices. Unearthed by the McAfee Mobile Research Team, the malware derives its name from its utilization of the Xamarin open-source mobile app framework and its exploitation of the accessibility permissions within the operating system to carry out its malicious objectives.

Xamalicious exhibits the ability to collect metadata about the infected device and establish communication with a command-and-control (C2) server to acquire a second-stage payload. However, it performs this action selectively, ensuring compatibility before proceeding. The second stage involves the dynamic injection of an assembly DLL at runtime, enabling the malware to seize complete control of the device. Subsequently, it can engage in fraudulent activities such as clicking on ads and installing apps, all with a financial motive and without the user’s consent, as highlighted by security researcher Fernando Ruiz.

McAfee identified 25 applications harboring this active threat, some of which were distributed on the official Google Play Store since mid-2020. The affected apps are estimated to have been downloaded and installed at least 327,000 times, underscoring the widespread impact of this security threat.

Other news

Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware

UNC4990, a threat actor in Italy, uses weaponized USB devices to infect various sectors since late 2020. They deploy the EMPTYSPACE downloader via USB and third-party websites, with unclear motives, possibly involving cryptocurrency mining. The infection starts with a victim opening a malicious LNK shortcut file. Yoroi identified four EMPTYSPACE variants, including the QUIETBOARD backdoor.

Read More

CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a critical vulnerability affecting GitLab in its Known Exploited Vulnerabilities (KEV) catalog due to ongoing exploitation in the wild.

Read More
en_USEnglish