A recently discovered Android backdoor named Xamalicious has been found to possess formidable capabilities, enabling it to execute various malicious actions on compromised devices. Unearthed by the McAfee Mobile Research Team, the malware derives its name from its utilization of the Xamarin open-source mobile app framework and its exploitation of the accessibility permissions within the operating system to carry out its malicious objectives.
Xamalicious exhibits the ability to collect metadata about the infected device and establish communication with a command-and-control (C2) server to acquire a second-stage payload. However, it performs this action selectively, ensuring compatibility before proceeding. The second stage involves the dynamic injection of an assembly DLL at runtime, enabling the malware to seize complete control of the device. Subsequently, it can engage in fraudulent activities such as clicking on ads and installing apps, all with a financial motive and without the user’s consent, as highlighted by security researcher Fernando Ruiz.
McAfee identified 25 applications harboring this active threat, some of which were distributed on the official Google Play Store since mid-2020. The affected apps are estimated to have been downloaded and installed at least 327,000 times, underscoring the widespread impact of this security threat.