McAfee Detects Xamarin-Based Android Malware

McAfee Mobile Research Team detected a new Xamarin-based backdoor malware that affects Android users. The malware is potentially dangerous as it uses social engineering methods to gain special access to private user information. This represents a potential threat as it grows its presence in the largest countries in the Americas. 

The recently discovered backdoor was created using Xamarin, an open-source framework for the development of Android and iOS apps using .NET and C#. McAfee labeled this backdoor as Android/Xamalicious. It attempts to acquire special access privileges through social engineering tactics. Afterward, it establishes communication with a command-and-control server to assess whether it should proceed with downloading a second-stage payload. 

The payload is dynamically injected as an assembly DLL at runtime, providing the backdoor with full control over the device. With this control, the malware can potentially carry out fraudulent activities, clicking on ads, installing apps, and performing other financially motivated actions, all without the user's consent. According to McAfee, Android/Xamalicious’ second-stage payload contains functions to self-update the main APK, which means that it has the potential to perform any type of activity like a spyware or banking trojan without user interaction. 

McAfee noted that the use of the Xamarin framework allowed the malware authors to stay active and undetected for a long time. Furthermore, the authors implemented obfuscation techniques and custom encryption to make their malicious code more challenging to understand and analyze. 

According to McAfee, there were over 25 different apps that carried this malware and were distributed on Google Play since mid-2020. Most of the apps were related to health, games, horoscopes, and productivity. The apps were removed from Google Playstore after McAfee issued the report. Still, McAfee estimates that over 327,000 users were affected by the malware. This figure is just based on Google Play’s downloads record and is not counting third-party app stores. The company stressed this threat is still very active. McAfee added that their products can successfully identify the malware as Android/Xamalicious.

According to McAfee, more affected users are in the Americas, with the most activity in the United States, Brazil, and Argentina. In Europe, the company reported the infection of devices in the United Kingdom, Spain, and Germany.  Nonetheless, the malware has also a wide presence in Mexico, Australia, Chile, Colombia, Venezuela, and South Korea, among other countries.