Summary
- Over 338,000 Android devices infected by “Xamalicious” Android backdoor via malicious apps on Google Play & unofficial stores.
- Popular apps like Essential Horoscope & 3D Skin Editor for PE Minecraft were infected (now removed from Google Play).
- Past installations still pose a threat; manual scans and security checks are crucial.
- Xamalicious uses Accessibility Service to control devices and downloads further payloads from its C2 server.
- Stay vigilant, use only trusted app stores, and regularly scan your device for potential threats.
A recent security discovery by McAfee has revealed a stealthy Android backdoor named “Xamalicious,” infecting over 338,300 devices worldwide. While the malicious apps responsible have been removed from Google Play, the threat remains for users who installed them between mid-2020 and December 2023. This underscores the importance of vigilance and proactive device security measures.
Table of Contents
User Impact: Past Infections Remain a Threat
Although the infected apps are no longer available on Google Play, anyone who installed them during the active period still carries the risk of an active Xamalicious infection. Regular scans and manual checks are crucial to eliminate any lingering traces of the malware.
Popular Infected Apps By Android Backdoor ‘Xamalicious’: Beware These Disguises
Some of the most popular infected apps include Essential Horoscope for Android, 3D Skin Editor for PE Minecraft, Logo Maker Pro, and Auto Click Repeater. Users who downloaded these apps are advised to immediately scan their devices and consider a factory reset as a last resort.
Also Read: NASA’s Europa Clipper Project: Name-Sending to Space
Spread Through Unapproved Stores: Sideloading Risks
Beyond Google Play, a separate set of 12 malicious apps carrying Xamalicious targets users who download APK files from unapproved third-party app stores. This highlights the inherent risks associated with sideloading apps, and users should stick to trusted sources like Google Play for their app downloads.
Geographical Impact: Global Reach Highlights Widespread Threat
McAfee’s telemetry data reveals that Xamalicious infections are not geographically limited. Countries like the United States, Germany, Spain, the UK, Australia, Brazil, Mexico, and Argentina have seen a significant number of affected devices, emphasizing the global reach of this threat.
What is Xamalicious?: Unpacking the Malicious Code
Xamalicious is a .NET-based Android backdoor disguised within apps built using the Xamarin framework, making code analysis complex. It relies on Accessibility Service access to perform privileged actions like navigation gestures, hiding on-screen elements, and even granting itself additional permissions.
C2 Server Interaction: Remote Control & Second-Stage Payload
Following installation, Xamalicious contacts a remote command and control (C2) server. If specific conditions like geographical location, network configuration, and device status are met, the server delivers a second-stage payload that grants even greater control over the infected device.
Conclusion
The Xamalicious discovery serves as a stark reminder of the ever-evolving landscape of cyber threats. Users must remain vigilant when downloading apps, even from official stores, and prioritize robust security measures like antivirus software and regular system scans to protect their devices from such malicious actors.
Disclaimer:
AI was used to conduct research and help write parts of the article. We primarily use the Gemini model developed by Google AI. While AI-assisted in creating this content, it was reviewed and edited by a human editor to ensure accuracy, clarity, and adherence to Google's webmaster guidelines.