Security researchers have discovered new Android malware that doesn’t even require user interaction to launch. However, to become fully operational and perform the processes it was designed for, it still needs the victim’s approval.
Cybersecurity researchers at McAfee said they have observed a new version of XLoader, a well-known Android malware variant that has been used in the past to steal sensitive user information from victims in the US, UK, Germany, France, Japan, South Korea and Taiwan. This new loader is distributed in the same way as its predecessors: via an SMS message with a shortened URL, which leads to a website hosting the malicious .APK file.
However, the main difference comes after installation: the victim does not have to run the new variant; this is started automatically, and then secretly. Google had already been tipped off and is working on a solution: “While the app is installed, their malicious activities start automatically,” McAfee said. “We have already reported this technique to Google and they are already working on implementing measures to prevent this type of automatic execution in a future Android version.”
Asking for permission
But simply running the app isn’t enough, as it still needs essential permissions to steal data. To trick victims into granting them, the malware was named Chrome, but via Unicode strings – so the app’s font looks slightly different, which should be enough of a red flag. If that doesn’t set off any alarms, the permissions the app is looking for should: it asks for the ability to send and access SMS content, and to always be able to run in the background.
Because the pop-up messages requesting this permission are available in English, Korean, French, Japanese, German, and Hindi, McAfee researchers believe these are also target countries.
XLoader can steal people’s photos, send text messages, extract existing text messages to a third-party server, export contact lists, retrieve device IDs, and more.
Through BleepingComputer