A new version of the XLoader Android malware has been discovered that runs automatically on infected devices and requires no user interaction to launch.
XLoader, also known as MoqHao, is an Android malware operated and possibly created by a financially motivated threat actor called Roaming Mantis, which has previously been seen targeting users in the US, UK, Germany, France, Japan, South Korea and Taiwan. .
Attackers distribute malware primarily via SMS messages containing (shortened) URLs that lead to sites that provide Android APK installation files for mobile apps.
McAfee researchers report that the latest XLoader variant shows the ability to start automatically after installation. This allows malware to run in the background and steal sensitive user information, among other things.
"When an app is installed, malicious activity automatically begins," explains Android Application Protection Alliance partner McAfee.
"We have reported this technique to Google and they are working to implement mitigations to prevent this type of author in future versions of Android."
To further disguise malicious apps, Roaming Mantis uses Unicode strings to disguise malicious APKs as legitimate software, especially the Chrome web browser.
This trick is important for the next step, which is to trick users into accepting dangerous permissions on the device, such as sending and accessing SMS content, and allowing it to "always run in the background" by adding exceptions to Android's battery optimization. . .
The fake Chrome app asks users to set itself as the default SMS app, claiming it will help prevent spam.
The popup message used in this step is available in English, Korean, French, Japanese, German, and Hindi and shows the current destination of XLoader.
The latest version of XLoader creates a notification channel to carry out personal phishing attacks on your devices.
Extracts phishing messages and targeted URLs from Pinterest profiles, potentially avoiding detection by security tools that monitor suspicious traffic sources.
Additionally, using Pinterest allows attackers to quickly change phishing messages and targets without sending malware updates to devices.
If that fails, XLoader again uses an encrypted phishing message that alerts the user to a problem with their bank account that requires intervention.
Additionally, the malware can execute multiple commands (20 in total) received from the command and control server (C2) via the WebSocket protocol.
The main XLoader commands are:
- get_photo – Sends all photos to the control server, risking major privacy violations.
- getSmsKW – Sends all SMS messages to the control server, compromising your privacy by potentially exposing sensitive information.
- sendSms – Allows malware to send SMS messages, distribute malware or enable phishing.
- gcont - Exports the entire contact list to a control server, risks violating privacy and allowing spear phishing.
- getPhoneState – Collects device identifiers (IMEI, SIM number, Android ID, serial number) so that it can be tracked.
- http – Facilitates sending HTTP requests for malware downloads, data exfiltration, or C2 communications.
Since appearing on the mobile threat scene in 2015, XLoader has continued to evolve its attack methodology, increasing its stealth capabilities and effectiveness.
McAfee warns that newer variants of XLoader can be very effective because they require minimal user interaction.
Because malware hides under the guise of Chrome, McAfee recommends using a security product that can scan your device and remove threats based on known indicators.
Update 9/2 : Android devices with Google Play services are protected against this type of malware using Play Protect, which is enabled by default.
