Cybersecurity researchers at McAfee have discovered that an updated version of the Android malware, XLoader, can automatically launch itself on infected Android smartphones after installation without the need for any user interaction.
XLoader, also known as MoqHao, is a malware strain that is likely created by a financially motivated threat actor called ‘Roaming Mantis’.
This malware is mainly distributed via shortened URL links in text messages on Android devices, which, when clicked, redirects you to a website to download an Android APK installation file for a mobile app.
This allows the malware to run silently in the background and extract personal and private information from compromised devices, including device metadata, photos, text messages, contact lists, call specific numbers with silent mode, and potentially banking information, among other things.
“Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution. While the app is installed, their malicious activity starts automatically,” explains McAfee, an Android’s App Defense Alliance partner, in a report published this week.
“We have already reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version.”
In order to trick the user, the malware disguises itself as a legitimate app, often pretending to be the Google Chrome web browser. It uses Unicode strings in app names for obfuscation, which then lets it seek risky permissions on the device, like sending and accessing SMS content, and to be able to always run in the background by adding an exclusion from Android’s Battery Optimization.
Further, the fake Chrome app also asks users if they want to set it as the default SMS app under the pretext that doing so will help prevent spam.
In addition, the malware also employs phishing messages, the content for which is extracted from the bio (or description) field from fraudulent Pinterest profiles, which are then sent to infected smartphones to evade detection by antivirus software.
If the malware is unable to access Pinterest, it then uses hardcoded phishing messages that notify potential victims that there is something fishy with their bank account and they need to take immediate action.
McAfee’s researchers noted that some malicious displayed pop-up messages asking for permissions in English, Korean, French, Japanese, German, and Hindi, which also indicates XLoader’s current targets. They believe that, in addition to Japan, the malware is also targeting Android users in South Korea, France, Germany, and India.
To stay protected from XLoader malware, users are advised not to sideload apps or open short URLs in text messages and to be very cautious while giving permissions to the apps they install. Also, limit the number of apps installed on your Android phone and install apps only from reputable developers.
Additionally, enable Google Play Protect on your Android smartphone so that it can scan all your current apps and any new apps you download for malware.
Also, consider installing additional antivirus software for Android for added security.
