With millions of apps comprising of Google’s Play Store, almost 90 percent of these are said to free to download. But free things are seldom what they seem. Android’s ‘massive user base’ has caught the attention of hackers and cyber criminals who have managed to bypass Google’s security on Play Store and upload apps infected with malware. An intelligence security firm Trend Micro has discovered a malware called ‘Xavier’ that has infected more than 800 Android apps on Google Play Store.
What is Xavier ad library malware?
While many of these free Android apps rely on advertisements for generating revenue, Android developers tend to integrate Android SDK Ads Library in their apps, which generally doesn’t affect an app’s performance. According to security researchers at Trend Micro this particular malicious ad library comes pre-installed on a wide category of Android apps such as photo editors, wallpapers, ringtone changers, volume booster, video converter, music video player, RAM optimiser and wallpapers. The malware silently steals users’ personal and financial data.
The research report notes that the malicious code which has been downloaded millions of time through free apps is mostly localised to the nations of Indonesia, Philippines, and Vietnam. Few downloads were also attempted from the US and Europe.
“Xavier’s stealing and leaking capabilities are difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis. In addition, Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware. Xavier’s behavior depends on the downloaded codes and the URL of codes, which are configured by the remote server,” Trend Micro wrote in its report.
Is Xavier a new malware?
Notably, the malicious ad library Xavier is not a new malware. It is, in fact, a member of AdDown family which was discovered two years ago. The research report cites that the first version called ‘joymobile’ appeared in early 2015 and it was capable of ‘remote code execution.’ While the ‘previous variant’ of Xavier Ad library was a simple adware that installed other APKs silently on targeted devices, the new version comes with additional capabilities like evading detection, stealing information and remote code execution. The malware can evade both static and dynamic malware analysis, can download codes from a remote-control Command and Control (C&C) server, and steal users’ credentials that include users’ email address, device ID, model, OS version, country, manufacturer, sim card operator, resolution, and installed apps.
List of apps infected by malicious Xavier ad library
Trend Micro has listed around 75 Android apps that are infected by this malware. Some these apps include- ‘photogrid.frame.photocollage‘, ‘forecast.weatherlive.weather’, ‘finder.photo.imagessearch‘, ‘galaxygame.fighterwar‘, ‘live3d.wallpaperlite‘, ‘camspecial.clonecamera‘ etc. You can check the entire list of infected Android apps here. Thankfully, Google has removed these infected apps from Play Store. But if you happen to have installed any of these apps, you should remove it immediately.
What should Android users do to save their devices from this malware?
Apps infected with malware have been a severe problem for users and even for app developers. While the Search giant puts effort to remove these infected apps, users should also be careful while downloading apps on their smartphones. Researchers have always urged users, primarily Android users to check reviews of an app before downloading it, check the permissions an app ‘ask for’. Users should install verified security software to avoid their device from being infected by such malware and save from facing any potential threat.