Once again, the Play Store hosts dozens of corrupted applications. Their malware called Xamalicious is capable of taking control of your smartphone. Once you install them, remove them quickly!
Once again, numerous corrupted applications were discovered in the Play Store, Google's app store for Android – you can't change good old habits! Despite the security tools and measures that the Redmond company uses, hackers are constantly developing new strategies to circumvent them. This time, computer security researchers from McAfee have identified a new threat to Android users: the Xamalicious malware, which is hiding in several dozen applications. It primarily affects American, Brazilian and Argentinian users, but is also widespread in Europe and particularly in the United Kingdom, Spain and Germany.
© McAfee
Xamalicious: Thirteen applications that urgently need to be uninstalled
Xamalicious is designed to take control of a smartphone. To do this, the malware uses social engineering techniques with the aim of obtaining access permissions from the victim's device, allowing him to access functions normally reserved for the security system. Exploitation. The app states that it requires full access to function and provides the victim with instructions on how to enable accessibility services. The infected device then has ample opportunity to communicate with a command and control server, resulting in the download of a second payload. This then takes full control of the device and carries out malicious actions such as: Such as clicking on advertisements, installing applications, collecting personal and banking details, etc. All without the consent of the device owner, of course.
The virus collects several data from the device, including the list of installed applications, which is retrieved via system commands to determine whether the infected victim is a good target for the second stage payload. The malware can collect location, carrier and network information, as well as the device's root status and ADB connectivity configuration. To avoid detection by Google, cybercriminals use obfuscation techniques to encrypt application code to make it less readable and therefore easier to detect. They also use custom encryption to communicate with the remote server. Finally, to code the virus, they rely on Xamarin, a mobile application development platform that uses the C# programming language and the .NET framework.
© McAfee
The virus was hidden in the code of 13 Android applications available on the Play Store. Some have more than 100,000 downloads. Here is the list of infected apps:
- Essential horoscope for Android
- 3D skin editor for PE Minecraft
- Logo Maker Pro
- Auto click repeater
- Simple calorie calculator for counting
- Volume extender
- LetterLink
- NUMEROLOGY: PERSONAL HOROSCOPE AND NUMBER PREDICTION
- Pedometer: Simple step counter
- Track your sleep
- Volume Booster
- Astrological Navigator: Daily Horoscope and Tarot
- Universal calculator
Although Google quickly removed some of these apps from the Play Store, most of them are still available on third-party Android app stores. Note that researchers also discovered Xamalicious in the code of twelve other applications that are not distributed through the Play Store. In total, no fewer than 327,000 devices were affected. Furthermore, the campaign is still ongoing. Therefore, caution is advised…
If you have ever installed any of these on your smartphone, uninstall it as soon as possible. For security reasons, it's best to change your passwords and monitor your bank account transactions. Remember, just because you download an app from an official store doesn't mean you're safe. For this reason, it is strongly recommended that you only install applications that you really need and delete those that you no longer use. Before downloading, check the little details that might give you away – number of downloads, reviews, developer name, permission requests… Be sure to use a background antivirus to carefully check that there is not secretly malicious behavior at work.