New Android malware family has infected thousands of devices – here’s what we know
Cybersecurity researchers at McAfee have discovered more than a dozen malicious apps lurking in the Google Play Store.
The researchers claim that these apps contained powerful malware, which could steal sensitive data from the infected Android devices and possibly even commit ad fraud.
The apps were downloaded no less than 330,000 times.
According to the researchers, the backdoor is called “Xamalicious” and has been discovered so far in the following apps:
– Essential Horoscope for Android – 100,000 installs
– 3D Skin Editor for PE Minecraft – 100,000 installs
– Logo Maker Pro – 100,000 installs
– Auto Click Repeater – 10,000 installations
– Count Easy Calorie Calculator – 10,000 installations
– Points: one line connector – 10,000 installations
– Sound volume extender – 5,000 installations
After labeling them as malicious, Google removed these apps from the app repository.
While Google's move is commendable, this move does not protect users who have already downloaded the apps in the past, some of which have reportedly been available for download since mid-2020. They will have to remove them manually and use an anti-virus or cleaning program to remove any loose ends.
The majority of victims were found in the US, Britain, Germany, Spain, Australia, Brazil, Mexico and Argentina.
To work properly, the malware asks the victim for permission to access the Accessibility Service, which is often a red flag and should help most people distinguish a malicious app from a legitimate one.
That said, if Accessibility is enabled, the malware can collect device and hardware information including Android ID, brand, CPU, model, OS version, language, developer options status, SIM information, and firmware. Moreover, it can identify the physical location of the device, the name of the ISP, the organization and the services. It also comes with a few features that allow you to determine whether it is installed on an original device or on an emulator.
Finally, the malware can extract a second-stage payload from the C2 server.