Android Backdoor 'Xamalicious' infects over 338,000 devices via Google Play

android users, malware alert, xamalicious, what is xamalicious, google play store, McAfee, android — Image Source : FILE Representational Image

A security discovery by McAfee reveals a sneaky Android backdoor named 'Xamalicious,' infecting around 338,300 devices through malicious apps available on Google Play. McAfee identified 14 infected apps on Google Play, with three of them accumulating 100,000 installs each.

User Impact

Although these apps are now removed from Google Play, users who installed them since mid-2020 might still have active infections, requiring manual cleanup and scanning.

Popular Infected Apps

The most popular among these infected apps include:

Essential Horoscope for Android
3D Skin Editor for PE Minecraft
Logo Maker Pro
Auto Click Repeater
Count Easy Calorie Calculator
Dots: One Line Connector
Sound Volume Extender

Spread Through Unapproved Stores

In addition to Google Play, 12 malicious apps carrying the Xamalicious threat are spread through unapproved third-party app stores. Users become infected by downloading APK (Android package) files from these sources.

Geographical Impact

The infections are widespread, with the majority found on devices in the United States, Germany, Spain, the UK, Australia, Brazil, Mexico, and Argentina, according to McAfee's telemetry data.

What is Xamalicious?

Xamalicious is a.NET-based Android backdoor hidden within apps built using the open-source Xamarin framework. This makes code analysis more challenging. It gains Accessibility Service access upon installation, allowing it to execute privileged operations like navigation gestures and hiding on-screen objects.

C2 Server Interaction

After installation, Xamalicious communicates with a Command and Control (C2) server to retrieve the second-stage DLL payload ('cache.bin') if specific conditions related to geography, network, device configuration, and root status are met.