For what will hopefully be the last time in 2023, we have a few more malicious Android apps to warn you about. The McAfee Mobile Research Team recently uncovered 25 apps infected with Xamalicious malware, several of which were distributed on the Google Play store. Google has since removed the apps, but they might still be on your phone. If so, you should delete them as soon as possible and keep an eye on your accounts.
These are the infected apps that have since been removed from Google Play:
- Essential Horoscope for Android – 100,000 downloads
- 3D Skin Editor for PE Minecraft – 100,000 downloads
- Logo Maker Pro – 100,000 downloads
- Auto Click Repeater – 10,000 downloads
- Count Easy Calorie Calculator – 10,000 downloads
- Sound Volume Extender – 5,000 downloads
- LetterLink – 1,000 downloads
- NUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS – 1,000 downloads
- Step Keeper: Easy Pedometer – 500 downloads
- Track Your Sleep – 500 downloads
- Sound Volume Booster – 100 downloads
- Astrological Navigator: Daily Horoscope & Tarot – 100 downloads
- Universal Calculator – 100 downloads
As the McAfee researchers explain, Xamalicious is an Android backdoor built on the Xamarin open-source mobile app platform. Apps infected with Xamalocious use social engineering tactics to gain accessibility privileges, at which point the device begins communicating with a command-and-control server without the device owner being any the wiser.
That server then downloads a second payload on to the phone that can “take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent.”
“The usage of the Xamarin framework allowed malware authors to stay active and without detection for a long time, taking advantage of the build process for APK files that worked as a packer to hide the malicious code,” says McAfee’s Mobile Research Team. “In addition, malware authors also implemented different obfuscation techniques and custom encryption to exfiltrate data and communicate with the command-and-control server.”
Once again, these apps are no longer available to download on Google Play. That’s the good news, but Google can’t remotely remove the apps from your phone if you already downloaded them. Be sure to do a quick sweep of your app list to be safe.
UPDATE: Google spokesperson Ed Fernandez reached out to remind us that Google Play Protect shields users from malware no matter where it comes from. If an Android user did download one of these apps, they would have received a warning, and it would have been automatically uninstalled. Also, if they tried to install the app after the malware was identified, they would get a warning, and Android would block them from downloading it.