Full Report
Authored by Fernando Ruiz McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows... The post Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices appeared first on McAfee Blog.
Analysis Summary
# Tool/Technique: Android/Xamalicious
## Overview
Android/Xamalicious is an Android backdoor primarily designed for financially motivated fraudulent actions, such as ad fraud (clicking ads, installing apps) without user consent. It utilizes the Xamarin framework for implementation, obfuscation, and custom encryption to hide malicious code and communicate with its Command-and-Control (C2) server.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Android
- Capabilities: Gaining Accessibility privileges via social engineering, remote download and dynamic injection of second-stage payloads (DLL assemblies), self-updating capability, device information collection, automated fraudulent actions (ad clicks, app installs).
- First Seen: Variants distributed on Google Play since mid-2020 (as per report date, Dec 2023).
## MITRE ATT&CK Mapping
*Note: Since Xamalicious abuses legitimate OS features to perform actions, the primary mapping focuses on initial access and privilege escalation/persistence mechanisms observed.*
- **TA0001 - Initial Access**
- T1486 (Uncategorized - Likely indirect distribution via third-party markets or compromised apps on official stores)
- **TA0004 - Privilege Escalation**
- T1548.002 - Abuse Elevation Control Mechanism: Accessibility Services (Gaining high-level permissions via tricking the user)
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Dynamically downloading second-stage payload/DLL assembly at runtime)
## Functionality
### Core Capabilities
- **Accessibility Service Abuse:** Socially engineers users into granting powerful Accessibility privileges, which allows the malware to interact with the device with high levels of permission.
- **Dynamic Payload Loading:** Communicates with a C2 server to conditionally download and inject a second-stage payload (a DLL assembly) at runtime.
- **Device Information Collection:** Gathers sensitive device data, including a list of installed applications, to determine suitability for the second stage.
- **Self-Update:** Contains functions to update the main APK file.
### Advanced Features
- **Xamarin Implementation:** Built using the Xamarin framework (.NET/C#), allowing malicious code to be compiled into .NET assemblies (DLLs) which are then loaded by the native Android execution environment (Mono interpreter). This served as an effective packer to hide malicious code.
- **Obfuscation and Encryption:** Implemented various obfuscation techniques and custom encryption for hiding code and communications.
- **Ad Fraud Execution:** The second-stage payload is heavily linked to functionality seen in ad-fraud applications like "Cash Magnet" (automatic ad clicking, unauthorized app installation).
## Indicators of Compromise
- File Hashes: [Not specified in text]
- File Names: `core.dll`, obfuscated/custom assembly DLLs (often found in the `/assemblies` directory within the APK).
- Registry Keys: [Not applicable for Android]
- Network Indicators: Communication with Command-and-Control server (details not provided, but C2 communication observed after granting permissions).
- Behavioral Indicators: Immediate request for Accessibility Service permission upon first launch, often accompanied by misleading instructions.
## Associated Threat Actors
- Developers motivated by financial gain, specifically ad fraud.
- Previously linked to the functionality of the "Cash Magnet" app.
## Detection Methods
- Signature-based detection: McAfee Mobile Security detects this threat as **Android/Xamalicious**.
- Behavioral detection: Monitoring requests and activation of Accessibility Services by non-standard applications. Observing runtime loading of DLL assemblies within an Android application context.
- YARA rules: [Not specified in text, but custom YARA rules could target Xamarin/Mono assembly artifacts.]
## Mitigation Strategies
- **User Awareness:** Educating users about the severe risks associated with granting Accessibility Service permissions to non-standard applications.
- **Installation Source Control:** Avoiding third-party marketplaces and relying on official app stores (though this threat bypassed Google Play detection previously).
- **Security Software:** Utilizing Google Play Protect and advanced mobile security solutions (like McAfee Mobile Security).
- **App Vetting:** For organizations deploying internal apps, rigorous vetting of application manifests and runtimes, checking for non-standard library loading mechanisms.
## Related Tools/Techniques
- AndroSpy (Previously detected malware abusing the Xamarin framework).
- Banking Trojans (Potential ultimate payload due to the powers granted by Accessibility Services).