According to McAfee Mobile Research Team, a new Android backdoor called "Android/Xamalicious" has been identified. It is implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. The backdoor tries to gain accessibility privileges with social engineering and then communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent. The second stage payload can take full control of the infected device due to the powerful accessibility services that were already granted during the first stage which also contains functions to self-update the main APK which means that it has the potential to perform any type of activity like a spyware or banking trojan without user consent. Based on the number of installations, these apps may have compromised at least 327,000 devices from Google Play plus the installations coming from third-party markets that continually produce new infections based on the detection telemetry of McAfee clients around the world. This threat remains very active.
IoC
MD5
- 359bbd612d493176603d04c07a85c2a3
- 54b9c0431e2c2d450d54b7307af1b94e
- 93ec54584746e28873614e2e8e34876f
- 9c25f99768fd9af907d7dd10410c58c2
- a28da4ba0f525691b41c0c27f747b938
- aae0796b4aac163ddb7b65754a446710
- d1547228961d30c5bbb2ee3f103afed6
SHA1
- 0b50afd999b01712edce2f03c3fa76768591bd40
- 5a1e9d7fd2205d19298ec2b8990e487543a18580
- 61bed88a02468f90f8d871455ede227240c68e36
- 6bf2bf331b8ca2e265d4017e7271fb57ccd0625a
- c10445557bd3b554175e34e5cd38e4c4381be9d9
- c2477323b60f9d95203bc2110e6951ccc2c2c187
- cfdafb9945fb2153c2e0ac94e8b5b0ef8da1bbfa
SHA256
- 01c56911c7843098777ec375bb5b0029379b0457a9675f149f339b7db823e996
- 117fded1dc51eff3788f1a3ec2b941058ce32760acf61a35152be6307f6e2052
- 19ffe895b0d1be65847e01d0e3064805732c2867ce485dfccc604432faadc443
- 1bfc02c985478b21c6713311ca9108f6c432052ea568458c8bd7582f0a825a48
- 22803693c21ee17667d764dd226177160bfc2a5d315e66dc355b7366b01df89b
- 28a4ae5c699a7d96e963ca5ceec304aa9c4e55bc661e16c194bdba9a8ad847b7
- 3201785a7de8e37e5d12e8499377cfa3a5b0fead6667e6d9079d8e99304ce815
- 5fffb10487e718634924552b46e717bbcbb6a4f9b1fed02483a6517f9acd2f61
- 6953ba04233f5cf15ab538ae191a66cb36e9e0753fcaeeb388e3c03260a64483
- 6a3455ff881338e9337a75c9f2857c33814b7eb4060c06c72839b641b347ed36
- 7149acb072fe3dcf4dcc6524be68bd76a9a2896e125ff2dddefb32a4357f47f6
- 81a9a6c86b5343a7170ae5abd15f9d2370c8282a4ed54d8d28a3e1ab7c8ae88e
- 8927ff14529f03cbb2ebf617c298f291c2d69be44a8efa4e0406dea16e53e6f9
- 899b0f186c20fdbfe445b4722f4741a5481cd3cbcb44e107b8e01367cccfdda3
- 9b4dc1e80a4f4c798d0d87a52f52e28700b5b38b38a532994f70830f24f867ba
- 9c646516dd189cab1b6ced59bf98ade42e19c56fc075e42b85d597449bc9708b
REFERENCES
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-android-xamalicious-actively-infecting-devices/
- https://otx.alienvault.com/pulse/658c40da58889532fbfe245c
TAGS
google play, rsa key, android, cash magnet, xamalicious, xamarin, updater, pixel, tarot
No comments:
Post a Comment