Rewterz Threat Alert – New Android Malware ‘Xamalicious’ Being Distributed via Google Play Store – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have discovered a new Android malware called Xamalicious that is capable of taking complete control of the infected device and carrying out fraudulent activities. The malware is developed using Xamarin, which is an open-source framework for making iOS and Android apps with .NET and C#. Most of the infections are seen in Brazil, the U.S., Argentina, Spain, the UK, and Germany.

The threat actors behind Xamalicious rely on social engineering to get accessibility privileges before connecting to the command-and-control (C2) server to decide whether to download a second-stage payload or not. The payload is dynamically injected as an assembly DLL at runtime level and takes full control of the device. The intruders then perform malicious actions like installing apps and clicking on ads to generate revenue. The second stage payload leverages accessibility services that are granted access during the first stage for taking control of the compromised device. The malicious code features a self-update mechanism for the main APK, making the threat pretty versatile.

Analysts uncovered a link between Xamalicious and the ad-fraud app called “Cash Magnet” that scammers use to generate revenue by using devices to install apps, click on ads, and perform other similar tasks. It is believed that the threat actors behind this malware are financially motivated. Utilizing the Xamarin framework allowed the attackers to evade detection from researchers and security solutions for a long time. The developers also implemented custom encryption and various obfuscation techniques.

The researchers have identified almost 25 different malicious apps, some of which have been on Google Play since around 2020. These apps have been downloaded at least 327,000 times and pretend to be games, health, productivity, and horoscope apps. Google acted fast and removed the malware-laced apps from the Play Store. To avoid detection and analysis, the malware encrypts all communication done with the C2.

This is some advanced encryption that goes beyond HTTPS protection and uses a JSON Web Encryption (JWE) token that is encrypted with RSA-OAEP and a 128CBC-HS256 algorithm. Notably, the RSA key values that are employed by Xamalicious are hardcoded into the decompiled malicious DLL that enables the decryption of information that is transmitted to the C2 infrastructure if it is accessible during the analysis.

When Android applications are written in non-Java code with frameworks like React Native, Flutter, and Xamarin, it provides a layer of obfuscation to the malware developers who intentionally use these tools to avoid being detected and keep their presence on the app market. It is highly recommended to avoid using apps that ask for permission to use accessibility services unless a genuine reason is provided.

Impact

• Unauthorized Access
• Exposure to Sensitive Information

Indicators of Compromise

MD5

• 9c25f99768fd9af907d7dd10410c58c2
• 4a5efb948e621e5608d94492cf499082
• 93ec54584746e28873614e2e8e34876f
• 54b9c0431e2c2d450d54b7307af1b94e
• aae0796b4aac163ddb7b65754a446710
• d1547228961d30c5bbb2ee3f103afed6
• a28da4ba0f525691b41c0c27f747b938

SHA-256

• dfdca848aecb3439b8c93fd83f1fd4036fc671e3a2dcae9875b4648fd26f1d63
• e7ffcf1db4fb13b5cb1e9939b3a966c4a5a894f7b1c1978ce6235886776c961e
• 117fded1dc51eff3788f1a3ec2b941058ce32760acf61a35152be6307f6e2052
• 28a4ae5c699a7d96e963ca5ceec304aa9c4e55bc661e16c194bdba9a8ad847b7
• 899b0f186c20fdbfe445b4722f4741a5481cd3cbcb44e107b8e01367cccfdda3
• e694f9f7289677adaf2c2e93ba0ac24ae38ab9879a34b86c613dd3c60a56992d
• 19ffe895b0d1be65847e01d0e3064805732c2867ce485dfccc604432faadc443

SHA-1

• 6bf2bf331b8ca2e265d4017e7271fb57ccd0625a
• 8ceedfd9ef8c4b4c86476d9b32ea1fd5d4d4e228
• cfdafb9945fb2153c2e0ac94e8b5b0ef8da1bbfa
• c10445557bd3b554175e34e5cd38e4c4381be9d9
• c2477323b60f9d95203bc2110e6951ccc2c2c187
• 5a1e9d7fd2205d19298ec2b8990e487543a18580
• 0b50afd999b01712edce2f03c3fa76768591bd40

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Educate users about the dangers of clicking on links or downloading apps from unknown sources sent via email, text messages, or social media. Phishing attacks can trick users into installing malicious apps.
• Users should review app permissions before installation. If an app requests unnecessary or excessive permissions, it might be suspicious.
• Encourage users to only download and install apps from trusted sources, such as the official Google Play Store. Sideloading apps from third-party sources increases the risk of installing malicious applications.
• Install reputable mobile security apps that offer real-time threat detection and malware protection. These apps can help identify and block malicious apps before they are installed.
• Regularly scan your device for malware using security apps. This helps identify any potentially malicious apps that might have been inadvertently installed.
• Security software providers should continually update their tools to detect and mitigate new and sophisticated evasion techniques.
• App stores should enforce strict guidelines for app submissions to ensure that only legitimate and secure apps are made available to users.
• Encourage users to report suspicious apps to app stores or security researchers. This helps identify and remove malicious apps from circulation.