Security researchers at McAfee have discovered a new and more dangerous variant of the XLoader Android malware. It can automatically launch on infected Android devices without user interaction. This technique allows the malware to execute malicious activities as soon as it is installed.
Android XLoader gets more dangerous with the auto-execute technique
XLoader, aka MoqHao, is a well-known Android malware family that has been around since at least 2015. Operated by the Roaming Mantis threat actor group, this malware strain has been previously used to target Android users in France, Germany, Japan, South Korea, Taiwan, the UK, and the US.
McAfee’s Mobile Research Team recently discovered that MoqHao has begun distributing a new variant of the malware using an auto-execution technique first identified in July 2022. The distribution method is the same—attackers send text messages containing a shortened link to download the malicious app to potential victims.
If an unsuspecting user clicks on the link and proceeds to install the app, disguised as Google Chrome, they immediately fall prey to the attack. Unlike previous variants, which required users to open the app before the malware became active, the new XLoader variant can launch automatically after installation.
This technique allows the malware to execute malicious activities in the background without user interaction. Since the app is disguised as Google Chrome, it further helps avoid detection. It tricks users into granting permission to always run the app in the background and access files, messages, and more. The malware even asks users to set itself as the default messaging app, claiming that it will help prevent spam.
Attackers have curated this pop-up message in English, Korean, French, Japanese, German, and Hindi. This is an indication of their current targets. Once the initialization process is complete, the malware will create a notification channel to display phishing messages. It checks the device’s carrier and automatically adjusts the phishing messages. “MoqHao gets the phishing message and the phishing URL from Pinterest profiles,” McAfee reports.
The malware can execute a wide array of commands
If the Pinterest trick fails, XLoader uses hardcoded phishing messages displaying a problem with the user’s bank account. It urges the user to take immediate action. The attacker can also execute a wide array of commands remotely. McAfee reported 20 commands that the malware can receive from its command and control (C2) server via the WebSocket protocol.
Some of the most dangerous commands include sending all photos to the control server, sending all messages to the control server, sending new messages to contacts, exporting saved contacts, collecting IMEI, SIM number, Android ID, serial number, and other device identifiers, sending HTTP requests to download more malware, and more.
According to McAfee, Android devices with Google Play Services, which have Google Play Protect enabled by default, are protected against this malware. However, it is always a safe practice to only download apps from known sources such as the Google Play Store. Google is also reportedly working on a way to prevent this type of auto-execution in a future Android version, possibly Android 15.
The post New variant of Android XLoader malware can launch itself appeared first on Android Headlines.