Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices

According to McAfee Mobile Research Team, a new Android backdoor called "Android/Xamalicious" has been identified. It is implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. The backdoor tries to gain accessibility privileges with social engineering and then communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent. The second stage payload can take full control of the infected device due to the powerful accessibility services that were already granted during the first stage which also contains functions to self-update the main APK which means that it has the potential to perform any type of activity like a spyware or banking trojan without user consent. Based on the number of installations, these apps may have compromised at least 327,000 devices from Google Play plus the installations coming from third-party markets that continually produce new infections based on the detection telemetry of McAfee clients around the world. This threat remains very active.

IoC

    MD5

• 359bbd612d493176603d04c07a85c2a3
• 54b9c0431e2c2d450d54b7307af1b94e
• 93ec54584746e28873614e2e8e34876f
• 9c25f99768fd9af907d7dd10410c58c2
• a28da4ba0f525691b41c0c27f747b938
• aae0796b4aac163ddb7b65754a446710
• d1547228961d30c5bbb2ee3f103afed6

    SHA1

• 0b50afd999b01712edce2f03c3fa76768591bd40
• 5a1e9d7fd2205d19298ec2b8990e487543a18580
• 61bed88a02468f90f8d871455ede227240c68e36
• 6bf2bf331b8ca2e265d4017e7271fb57ccd0625a
• c10445557bd3b554175e34e5cd38e4c4381be9d9
• c2477323b60f9d95203bc2110e6951ccc2c2c187
• cfdafb9945fb2153c2e0ac94e8b5b0ef8da1bbfa

    SHA256

• 01c56911c7843098777ec375bb5b0029379b0457a9675f149f339b7db823e996
• 117fded1dc51eff3788f1a3ec2b941058ce32760acf61a35152be6307f6e2052
• 19ffe895b0d1be65847e01d0e3064805732c2867ce485dfccc604432faadc443
• 1bfc02c985478b21c6713311ca9108f6c432052ea568458c8bd7582f0a825a48
• 22803693c21ee17667d764dd226177160bfc2a5d315e66dc355b7366b01df89b
• 28a4ae5c699a7d96e963ca5ceec304aa9c4e55bc661e16c194bdba9a8ad847b7
• 3201785a7de8e37e5d12e8499377cfa3a5b0fead6667e6d9079d8e99304ce815
• 5fffb10487e718634924552b46e717bbcbb6a4f9b1fed02483a6517f9acd2f61
• 6953ba04233f5cf15ab538ae191a66cb36e9e0753fcaeeb388e3c03260a64483
• 6a3455ff881338e9337a75c9f2857c33814b7eb4060c06c72839b641b347ed36
• 7149acb072fe3dcf4dcc6524be68bd76a9a2896e125ff2dddefb32a4357f47f6
• 81a9a6c86b5343a7170ae5abd15f9d2370c8282a4ed54d8d28a3e1ab7c8ae88e
• 8927ff14529f03cbb2ebf617c298f291c2d69be44a8efa4e0406dea16e53e6f9
• 899b0f186c20fdbfe445b4722f4741a5481cd3cbcb44e107b8e01367cccfdda3
• 9b4dc1e80a4f4c798d0d87a52f52e28700b5b38b38a532994f70830f24f867ba
• 9c646516dd189cab1b6ced59bf98ade42e19c56fc075e42b85d597449bc9708b

REFERENCES

• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-android-xamalicious-actively-infecting-devices/
• https://otx.alienvault.com/pulse/658c40da58889532fbfe245c

TAGS

google play, rsa key, android, cash magnet, xamalicious, xamarin, updater, pixel, tarot