In simple words, this means that in some samples the reversing of the DLL assemblies is straightforward while in others it requires extra steps to unpack them. This code is loaded then by a native library (ELF) or by the DEX file at runtime level. Then it is LZ4 compressed, and it might be embedded into a BLOB file, or directly available in the /assemblies directory on the APK structure. NET and compiled into a dynamic link library (DLL). This is not the traditional Java code or native ELF Android application, the malware module was written originally in. Accessibility services configuration prompt highlights the risks of this permission. Users need to manually activate the accessibility services after several OS warnings such as the following on the accessibility options:įigure 3. Tricking users into granting accessibility services permission Once started it immediately requests the victim to enable accessibility services for “correct work” and provides directions to activate this permission:įigure 2. Let’s use the app “Numerology: Personal horoscope & Number predictions” as an example. NET code is interpreted by Android using Mono. Technical details about Xamarin architecture are well documented and detail how. Previously we detected malware abusing Xamarin framework such as the open-sourced AndroSpy and forked versions of it, but Xamalicious is implemented differently. Most of these apps are still available for download in third-party marketplaces. “Count Easy Calorie Calculator” was available on Google Play on August 2022 and carries Android/XamaliciousĪndroid/Xamalicious trojans are apps related to health, games, horoscope, and productivity. This threat remains very active.įigure 1. McAfee Mobile Security detects this threat as Android/Xamalicious.īased on the number of installations these apps may have compromised at least 327,000 devices from Google Play plus the installations coming from third-party markets that continually produce new infections based on the detection telemetry of McAfee clients around the world. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices. McAfee is a member of the App Defense Alliance and an active partner in the malware mitigation program, which aims to quickly find Potentially Harmful Applications (PHAs) and stop them before they ever make it onto Google Play. The apps identified in this report were proactively removed by Google from Google Play ahead of our reporting. Some variants have been distributed on Google Play since mid-2020. We’ve identified about 25 different malicious apps that carry this threat. In addition, malware authors also implemented different obfuscation techniques and custom encryption to exfiltrate data and communicate with the command-and-control server. The usage of the Xamarin framework allowed malware authors to stay active and without detection for a long time, taking advantage of the build process for APK files that worked as a packer to hide the malicious code. This means that the developers behind these threats are financially motivated and drive ad-fraud therefore this might be one of the main payloads of Xamalicious. However, we identified a link between Xamalicious and the ad-fraud app “Cash Magnet” which automatically clicks ads, installs apps, and other actions to fraudulently generate revenue while users that installed it may earn points that are supposed to be redeemable as a retail gift card. The second stage payload can take full control of the infected device due to the powerful accessibility services that were already granted during the first stage which also contains functions to self-update the main APK which means that it has the potential to perform any type of activity like a spyware or banking trojan without user interaction. Dubbed Android/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent. McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |