Android malware infects devices to take full control for various illicit purposes like:-
Stealing sensitive information
Generating unauthorized financial transactions
Enabling remote attacks
By gaining complete control, threat actors can exploit the device for their illicit activities, posing significant threats to:-
User privacy
User security
Cybersecurity analysts at McAfee Mobile Research recently found an Android backdoor, “Android/Xamalicious,” using the Xamarin framework to infect devices and take full control.
Android Malware Gain Device Control
It employs social engineering for accessibility privileges and communicates with the C2 server. Second-stage payload dynamically injected as assembly DLL, which takes full control for:-
Ad fraud
App installs
Financially motivated actions
Researchers identified the link to the ad-fraud app “Cash Magnet,” revealing financial motivation. Xamarin usage allows long-term activity, hiding malicious code in the APK build process.
Cash Magnet (Source – McAfee)
The custom encryption and the obfuscation techniques were used for communication and data exfiltration. Around 25 malicious apps carry the threat, some on Google Play since mid-2020.
McAfee’s proactive measures and Google Play Protect aim to mitigate Potentially Harmful Applications. Android/Xamalicious detected on at least 327,000 devices, remains highly active.
Android/Xamalicious trojans disguise as apps from the following categories that are available in third-party markets:-
Health
Game
Horoscope
Productivity
Unlike previous Xamarin-based malware, Xamalicious is distinct in its implementation. Xamarin architecture allows .NET code interpretation on Android via Mono.
An example app, “Numerology” prompts victims to enable accessibility services for deceptive functionality.
Tricking users into permitting accessibility services (Source – McAfee)
All the accessibility services need to be activated manually after several OS warnings.
Accessibility services configuration prompt (Source – McAfee)
Malware varies from traditional Java or ELF Android code and the original .NET, compiled into DLL, LZ4 compressed, and embedded in BLOB or /assemblies directory.
Besides this, it is loaded by ELF or DEX at runtime, reversing varies in complexity, and the code is commonly available in the following assemblies:-
core.dll
<package-specific>.dll
Some variants obfuscate DLLs, while others retain the original code. After acquiring accessibility permissions, the malware contacts the server for the second-stage payload.
App execution and communication with the malicious server (Source – McAfee) Xamalicious malware checks the victim’s device info, like apps and rooting status, via system commands. If rooted or connected via ADB, it skips the second-stage payload download.
Here below, we have mentioned the types of information that are collected by the malware:-
Data collected (Source – McAfee) With the help of RSA-OAEP and HTTPS, the Xamalicious encrypts all the data to evade detection. However, if the C2 infrastructure is available, then the hardcoded RSA keys in the DLL enable decryption.
The Send() function encrypts data with a JWT and sends it to “/Updater” via HTTP POST. The decrypt() function uses a hardcoded RSA private key for C2 responses, possibly containing a second-stage payload.
Data sent to the C&C server that decides second-stage payload delivery and malware’s self-protection includes:-
Rooting
ADB
SIM checks
The C&C encrypts DLL with AES and device-specific key, the device decrypts the token, and then the ‘URL,’ parameter with a custom AES key unique to device details.
Malicious apps Detected
Here below, we have mentioned all the malicious apps detected:-
Malicious apps (Source – McAfee)
Countries from where users were affected
Here below, we have mentioned all the countries from where most of the users are affected:-
The USA
Brazil
Argentina
The UK
Spain
Germany
IOCs
IOCs (Source – McAfee) The post Android Malware Actively Infecting Devices to Take Full Control appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .
Top News
-
U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain
Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider. The individual, a...
-
Lừa đảo mạo danh ‘nở rộ’ trên không gian mạng và ngày càng tinh vi
Dù hình thức không mới song lừa đảo mạo danh hiện vẫn đang khiến nhiều người dân tại Việt Nam và trên thế giới sập bẫy, bị chiếm đoạt tài sản.
-
Lừa đảo đánh cắp mã OTP tinh vi, tấn công mạng tận dụng lỗ hổng mới
Xuất hiện lừa đảo đánh cắp mã OTP tinh vi; Hacker gia tăng tốc độ tận dụng các lỗ hổng mới,... là những thông tin công nghệ trong nước nổi bật...
-
Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users
Hackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt services, or...
-
Sleepy Pickle - Kỹ thuật tấn công mới nhắm vào các mô hình học máy
Sleepy Pickle là một kỹ thuật tấn công mới lạ và bí mật nhắm vào chính mô hình ML (Machine Learning) thay vì hệ thống cơ bản. {...