The recently uncovered Android backdoor, named ‘Xamalicious,’ has infected approximately 338,300 devices through malicious apps on Google Play. A member of the App Defense Alliance, 14 infected apps were identified on Google Play, with three boasting 100,000 installs each.
Although Google Play has removed these apps, users who installed them since mid-2020 may still harbor active Xamalicious infections, necessitating manual scans and cleanup. Notable among the infected apps are ‘Essential Horoscope for Android,’ ‘3D Skin Editor for PE Minecraft,’ and ‘Logo Maker Pro,’ each with 100,000 installs.
Moreover, a set of 12 additional malicious apps carrying the Xamalicious threat, distributed on unofficial third-party app stores via downloadable APK files, further pose a risk.
Xamalicious, a .NET-based Android backdoor embedded in apps developed using the Xamarin framework, complicates code analysis. Post-installation, it requests Accessibility Service access, granting it privileges for actions such as navigation gestures and hiding on-screen elements. The backdoor communicates with a command and control (C2) server to fetch a second-stage DLL payload (‘cache.bin’) based on specific prerequisites.
Capable of executing various commands, Xamalicious gathers device information, determines geographic location, checks for emulator status, identifies root status, lists installed apps, reports accessibility service permissions, and fetches the second-stage payload from the C2 server.
Most infections were detected in the United States, Germany, Spain, the U.K., Australia, Brazil, Mexico, and Argentina. Users who installed the affected apps are advised to conduct manual scans for potential infections on their devices.