Mobile phones, 12.02.2024, 00:00 AM
Company researchers McAfee discovered a new version of the XLoader Android malware that spreads mainly via SMS messages containing a shortened URL that leads to a site that contains an APK installation file for a fake Chrome app.
XLoader (MoqHao) is the work of the Roaming Mantis group, which is known for attacking users in the US, UK, Germany, France, Japan, South Korea and Taiwan.
The new version of XLoader starts automatically after installing the application. This allows the malware to work secretly in the background and extract sensitive user information.
The app that victims download asks for risky permissions, such as sending and accessing text messages, as well as allowing it to “always run in the background.” The fake app also asks the user to be the default SMS app, claiming that this will help block unwanted messages.
The pop-up messages used in this step are in English, Korean, French, Japanese, German and Hindi, indicating the current targets of the malware.
The latest version of XLoader opens notification channels to perform phishing attacks on the device. Malware extracts phishing messages and URLs from Pinterest profiles, presumably to avoid detection. Also, using Pinterest allows attackers to change phishing sites and messages on the fly without having to send a malware update to the device. Failing that, XLoader falls back to using phishing messages from the malware code that alert the user of a problem with their bank account and require them to take action.
In addition, the malware can execute 20 commands that it receives from the command and control (C2) server.
Malware sends all photos from the device to the server, all SMS messages, contact list and collects device identifiers (IMEI, SIM, Android ID, serial number), enabling tracking.
McAfee warns that the latest variants of XLoader can be particularly dangerous because they require minimal user interaction.
Android devices with Google Play Services are protected against this type of malware using Play Protect, which is turned on by default.
Photo: Rami Al-zayat / Unsplash