New dangerous Android malware found in apps, delete them immediately

Recently, McAfee researchers made a discovery unveiling a fresh Android backdoor malware called 'Xamalicious,' which infiltrated around 338,300 devices through malicious apps on the Google Play Store. 

This malware was detected in 14 affected apps, with three of them amassing 100,000 installs each before being removed from the Play Store. Although these apps are no longer visible in the store, individuals who inadvertently installed them on their phones are urged to promptly delete them.

The affected apps have been removed from the app store, but users who installed them since mid-2020 might still have active Xamalicious infections on their devices. Consequently, users are recommended to manually cleanse their devices by checking for unwanted apps, suspicious settings, or any irregularities that should be removed from their smartphones.

Here are some widely installed Xamalicious-affected Android apps:

1. Essential Horoscope for Android (100,000 installs)
2. 3D Skin Editor for PE Minecraft (100,000 installs)
3. Logo Maker Pro (100,000 installs)
4. Auto Click Repeater (10,000 installs)
5. Count Easy Calorie Calculator (10,000 installs)
6. Dots: One Line Connector (10,000 installs)
7. Sound Volume Extender (5,000 installs)

In addition to Google Play apps, another group of 12 malicious apps carrying the Xamalicious threat is circulating on unauthorized third-party app stores, impacting users through APK file downloads, according to ANI.

Xamalicious, characterized as an Android backdoor, is unique for being.NET framework-based and integrated into apps developed with the open-source Xamarin framework. This aspect poses a significant challenge for cybersecurity experts conducting code analysis. 

Upon installation, Xamalicious seeks access to the Accessibility Service, granting it the ability to execute privileged operations, such as navigation gestures, hiding on-screen elements, and acquiring additional permissions.

Post-installation, the malware establishes communication with a Command and Control (C2) server to retrieve the second-stage DLL payload ('cache.bin'). This retrieval is contingent on meeting specific criteria, including geographical location, network conditions, device configuration, and root status.

Android users are strongly encouraged to examine their devices for any indications of Xamalicious infections, even if they have uninstalled the implicated apps. Utilizing a reliable antivirus software for manual cleanup and regular device scanning is advised to ensure protection against such malware threats.