Dubbed "Xavier," the malicious ad library, initially emerged in September 2016, is a member of AdDown malware family, potentially posing a severe threat to millions of Android users.
Since 90 percent of Android apps are free for anyone to download, advertising on them is a key revenue source for their developers. For this, they integrate Android SDK Ads Library in their apps, which usually doesn't affect an app's core functionality.
According to security researchers at Trend Micro, the malicious ad library comes pre-installed on a wide range of Android applications, including photo editors, wallpapers and ringtone changers, Phone tracking, Volume Booster, Ram Optimizer and music-video player.
Features of Xavier Info-Stealing Malware
- Evade Detection: Xavier is smart enough to escape from being analyzed, from both static and dynamic malware analysis, by checking if it is being run in a controlled environment (Emulator), and using data and communication encryption.
- Remote Code Execution: The malware has been designed to download codes from a remote Command & Control (C&C) server, allowing hackers to remotely execute any malicious code on the targeted device.
- Info-Stealing Module: Xavier is configured to steal devices and user related information, which includes user’ email address, Device id, model, OS version, country, manufacturer, sim card operator, resolution, and Installed apps.
According to the researchers, the highest number of infected users are from Southeast countries in Asia such as Vietnam, Philippines, and Indonesia, with a fewer number of downloads are from the United States and Europe.
Here is a list of 75 infected Android apps that Google has already removed from its Play Store, and if you have installed any of these apps on your device, you are advised to remove it immediately.
Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day. Just last week, we saw first Android malware with code injecting capabilities making rounds on Google Play Store.
How to Protect Yourself
Moreover, always look at the reviews below left by other users who have downloaded the app and verify app permissions before installing any app and grant those permissions that have are relevant for the app's purpose.
Last but not the least, you are strongly advised to always keep a good antivirus application on your device that can detect and block such malware before they can infect your device, and keep your device and apps up-to-date.
Contact Gigasec Services to get you started.
Reference: The Hacker News