McAfee found ‘Xamalicious,’ an Android backdoor that infects 338,300 devices via Google Play malicious apps. McAfee found 14 malicious Google Play apps, three of which had 100,000 installations.
McAfee found ‘Xamalicious’, a secretive Android backdoor, infecting 338,300 devices through Google Play rogue apps. The most popular apps are Essential Horoscope and PE Minecraft 3D Skin Editor. Malware acquires Accessibility Service access upon installation.
Although these apps are deleted from Google Play, customers who installed them after mid-2020 may still have active infections that require manual cleanup and screening.
Popular infected apps include:
Essential Horoscope for Android
3D Skin Editor for PE Minecraft
Logo Maker Pro
Auto Click Repeater
Count Easy Calorie Calculator
Dots: One Line Connector
Sound Volume ExtenderSpread Through Unapproved Stores
12 Xamalicious apps are distributed through unapproved third-party app marketplaces in addition to Google Play. Downloading APKs from these sources infects users.
McAfee’s telemetry data shows that most infections occur on devices in the US, Germany, Spain, the UK, Australia, Brazil, Mexico, and Argentina.
Xamalicious is a.NET-based Android backdoor disguised in open-source Xamarin apps. This complicates code analysis. Installation gives it Accessibility Service access to perform privileged actions like navigating gestures and concealing on-screen objects.
Xamalicious retrieves the second-stage DLL payload (‘cache.bin’) from a Command and Control (C2) server after installation if geographical, network, device configuration, and root status conditions are met.
This revelation emphasizes the significance of being cautious when downloading programs, even from legitimate app shops, and periodically scanning your smartphone for risks.
Conclusion
McAfee found ‘Xamalicious’, an Android backdoor that infects 338,300 devices via Google Play malware. Essential Horoscope, 3D Skin Editor for PE Minecraft, Logo Maker Pro, Auto Click Repeater, Count Easy Calorie Calculator, Dots: One Line Connector, and Sound Volume Extender are the most contaminated apps. The malware hides in open-source Xamarin programs to perform privileged operations.
