More than 327,000 Android devices have been compromised by the novel Xamalicious malware, most of which are in Brazil, the UK, Australia, the U.S., and Mexico, The Hacker News reports.
Twenty-five health, gaming, productivity, and horoscope apps, some of which have been on the Google Play Store since mid-2020, have been used to distribute Xamalicious, which leverages Android accessibility permissions to exfiltrate system metadata and deploy a first-stage dropper enabling primary APK updating and a second-stage payload that could facilitate device takeovers and further malicious actions, a report from the McAfee Mobile Research Team revealed. "To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it's encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm," said researcher Fernando Ruiz. Xamalicious has also been found to be similar to the Cash Magnet ad-fraud app.
