[ad_1]
A new version of the XLoader Android malware has been discovered. This malware runs automatically on infected devices and does not require any user interaction to start.
XLoader (also known as MoqHao) is an Android malware operated and likely created by a financially motivated attacker named ‘Roaming Mantis’ that has so far targeted users in the US, UK, Germany, France, Japan, South Korea, and Taiwan. It has been confirmed that the target is
Attackers primarily distribute malware through SMS texts containing (shortened) URLs pointing to sites that deliver Android APK installation files for mobile apps.
McAfee researchers report that recent XLoader variants have demonstrated the ability to launch automatically after installation. This allows the malware to secretly run in the background and, among other things, siphon sensitive user information.
“Malicious activity is automatically initiated while an app is installed,” explains McAfee, an App Defense Alliance partner for Android.
“We have already reported this technique to Google, and Google is already working on implementing mitigations to prevent this type of automatic execution in future Android versions.”
To further obfuscate malicious apps, Roaming Mantis uses Unicode strings to disguise malicious APKs as legitimate software, specifically the Chrome web browser.
This impersonation is important for the next step. It tricks users into approving risky permissions on their devices, such as sending and accessing SMS content, and adds exclusions from Android’s battery optimizations to “always run in the background.” It is to do. .
The fake Chrome app also asks users to set itself as the default SMS app, claiming that doing so will prevent spam.
The pop-up message used in this step is available in English, Korean, French, Japanese, German, and Hindi, which indicates the current target of the XLoader.
Malware behavior
Recent iterations of XLoader create notification channels to perform custom phishing attacks on devices.
It can extract phishing messages and landing URLs from Pinterest profiles and evade detection by security tools that monitor suspicious traffic sources.
Pinterest also allows attackers to switch phishing destinations and messages on the fly without risking sending updates to malware on the device.
If that fails, XLoader reverts to using a hard-coded phishing message to alert the user that there is a problem with their bank account and require them to take action.
Additionally, the malware is capable of executing a wide range of commands (20 in total) received from a command and control (C2) server via the WebSocket protocol.
The most important XLoader commands are:
- get photo: Since all photos are sent to the control server, there is a serious risk of privacy violation.
- getSmsKW: Sends all SMS messages to the control server, putting your privacy at risk as sensitive information may be exposed.
- Send SMS: Allows malware to send SMS messages, allowing malware to spread or phishing through impersonation.
- gcont: Exports the entire contact list to the control server, which poses a privacy risk and enables targeted phishing.
- Get phone status: Collect device identifiers (IMEI, SIM number, Android ID, serial number) and enable tracking.
- http: Facilitates sending HTTP requests for malware downloads, data exfiltration, or C2 communications.
Since arriving on the mobile threat scene in 2015, XLoader has consistently evolved its attack techniques to enhance its stealth capabilities and effectiveness.
McAfee warns that the latest variants of XLoader may be particularly effective because they require minimal user interaction.
Given that malware is hiding under the guise of Chrome, McAfee suggests using a security product that can scan your device and eradicate threats based on known indicators.
[ad_2]
Source link
