Xavier Malware Infects Hundreds of Android Apps on Google Play Store

You might have heard researchers urging Android users not to download apps from a third party store since a lot of them contain malware. Now, things have changed as hackers and cyber criminals are bypassing Google’s security implementation on Play Store and uploading apps infected with malware.

The IT security researchers at Trend Mirco have discovered that over 800 Android apps on Google Play store contain a malware called Xavier that is silently stealing personal and financial data of users. The infected apps belong to categories like photo manipulators, utilities, ringtone chargers, anti-virus, volume booster, speed booster, video converter, call recorder, and wallpaper apps downloaded millions of times by users around the world.

The majority of downloads came from countries like Indonesia, Philippines, and Vietnam while some of the downloads attempts were from European countries and the United States. 

Here’s a list of 75 apps that Google has already removed.

According to Trend Micro’s blog post:

“Xavier’s stealing and leaking capabilities are difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis. In addition, Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware. Xavier’s behavior depends on the downloaded codes and the URL of codes, which are configured by the remote server.”

Xavier’s history and infection

Xavier is not a new malware, in fact, it belongs to AdDown family which was discovered two years ago with remote code execution capabilities. Its first version appeared in 2015 and dubbed by researchers as “Joymobile” while Xavier itself was detected in September 2016.

Other than evading detection, Xavier comes with capabilities including collecting, leaking user data and installing other APKs in case the infected device is rooted. Furthermore, it also communicates with the Command & Control (C&C) server without encryption. However, all constant strings were encrypted in the code. Xavier does that all by remaining undetected.

What should Android users do

While Google is removing the infected apps it does not mean the malware will completely vanish from Play Store or that it will not make a come back. Xavier is a nasty piece of malware developed to take control of users’ device and data, therefore users are advised not to download apps unnecessarily.

Android users are also advised to use a verified security software and always scan their devices. Another noteworthy thing about Android is that it is one of the most targeted smartphones operating systems in the world. Just a couple of days ago researchers found WannaCry’s copycat WannaLocker ransomware targeting Android devices in China while Judy malware infected apps which were downloaded 36 million times.

Also, recently researchers discovered Dvmap malware with code injecting capability targeting Android devices. That is why Google is paying hackers and security researchers $200,000 for reporting bugs in Android.

DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Related Posts