We’re always careful about the protection of our data on our PCs but smartphone security is often ignored leading to issues such as the news of a Google Play malware being installed 330k times this year. McAfee recently released its Xamalicious malware report that broke down how the McAfee Mobile Research Team discovered the Xamalicious Android backdoor malware which had snuck onto the store disguised as various health and horoscope apps. McAfee’s Xamalicious malware analysis gives us glaring evidence of the fact that online threats are evolving faster than ever, despite attempts to keep these malicious attacks at bay.

The Xamalicious Malware Report: Google Play Malware Installed Over 330K Times

Image – Pexels

Google Play Malware Installed 330K Times Right Under Our Noses

According to the Xamalicious malware report by McAfee, there were about 25 different apps that carried this threat, resulting in the Google Play malware being installed over 330k times cumulatively. These apps have been in distribution since mid-2020, which is a terrifying thought considering just how much damage they might have done during this time. The apps were removed from the Google Play App Store proactively by the company, but those who still have the apps on their device without being aware of the threat are likely still exposed to the Xamalicious Android backdoor malware. 

How the Xamalicious Android Backdoor Malware Works

The Xamalicious Android backdoor malware was built on the Xamarin open-source framework that allows for the development of Android and iOS apps using .NET and C#. The backdoor then attempts to acquire accessibility privileges by convincing the user that it is necessary for the app to function, and while Android devices do throw up warnings regarding this, users are often unaware of the true extent of the threat they face and provide permission anyway. According to McAfee’s Xamalicious malware analysis, the code was originally written in .NET and compiled into a dynamic link library (DLL) and then compressed and embedded into a BLOB file or directly placed in the APK’s/assemblies directory. When the app runs, this code is loaded by a native library (ELF) or the DEX file. In simple terms, reversing the DLL assemblies can be straightforward in some cases, while in others, additional steps are needed to unpack them.

You should typically find the malicious code in two assembly files named core.dll and a <package-specific>.dll in the /assemblies directory of the Android Application Package (APK). Some variants of the malware hide the DLL assemblies through obfuscation to make it harder for analysts to study the malicious code, while others keep the original code visible. The malware communicates with its server to load a second-stage payload if the infected victim is a good target, parceling various bits of information from the user such as the device details, the geo-locations, apps installed on the device, etc. The accessibility permissions grant the Xamalicious Android backdoor malware freedom to misuse the device in many ways from spying on the user to impersonating them.

Xamalicious Malware Report: What Did It Do?

Considering the Google Play malware was installed over 330k times, it must have accomplished something in the period. McAfee found a link between the Xamalicious Android backdoor malware and an app that used to be available on the Google Play Store before it was taken down—Cash Magnet. The Cash Magnet app was originally marketed as a passive income service where the app would automatically interact with ads and other monetized tasks that would then generate points for the user. The points were then supposed to be converted into redeemable rewards for the user, promising up to $30 per month just to maintain the app on your device.

Google soon removed the ad from the store but apps like “Letterlink” and “Dots: One Line Connector” were poorly disguised replicas of the same app and likely served the same function, using your device as the path towards ad fraud. The report found that users in the USA, Brazil, and Argentina were most affected, along with the UK, Spain, and Germany as well. 

The Xamalicious malware report about the Google Play malware being installed 330k times is not the only evidence we have of malware bypassing the restrictions Google places and making its way to our Android devices. Kaspersky, another cybersecurity service provider, reported that there were over 600 million downloads of various malicious apps from the Android store in 2023. The report provides an analysis of the various apps that were on the store, for example, iRecorder was a screen-recording app that also silently turned the users’ microphones on every 15 minutes to collect data that was sent to its servers. Similarly, 38 Minecraft app clones were also discovered on the Play Store, all of which had hidden adware that would misappropriate the user’s device for ad farming. 

With the number of apps available on these app stores, many malicious apps may slip through the cracks and infest your phone with unnecessary, dangerous malware that can damage the life of your device and expose you to various threats. It is essential to become more careful about the apps we download, keeping the numbers to a minimum to reduce the number of threats we expose ourselves to. If a more regulated platform like the Google Play App Store can hold so many threats, it is likely much worse on third-party platforms that are more lax with their security. Avoid downloading from unverified sources and be very selective about providing accessibility permission to the apps that you use on your devices.