Android

A new version of the XLoader Android malware was discovered that automatically executes on devices it infects, requiring no user interaction to launch.

XLoader, aka MoqHao, is an Android malware operated and likely created by a financially motivated threat actor named 'Roaming Mantis,' previously seen targeting users in the U.S., U.K., Germany, France, Japan, South Korea, and Taiwan.

Attackers primarily distribute the malware through SMS text that contains a (shortened) URL pointing to a site delivering an Android APK installation file for a mobile app.

Researchers at McAfee report that recent XLoader variants demonstrate the ability to launch automatically after installation. This allows the malware to run stealthily in the background and siphon sensitive user information, among other things.

Infection chain
Old and new infection chains (McAfee)

"While the app is installed, their malicious activity starts automatically," explains McAfee, an Android's App Defense Alliance partner.

"We have already reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version."

To further obfuscate the malicious app, Roaming Mantis employs Unicode strings to disguise the malicious APKs as legitimate software, notably, the Chrome web browser.

Permission requests during first launch
Permission requests during first launch (McAfee)

This impersonation is vital for the next step, which is to trick the user into approving risky permissions on the device, like sending and accessing SMS content, and to be allowed to 'always run in the background' by adding an exclusion from Android's Battery Optimization.

Tricky request to set the malware as default app for SMS
Tricky request to set the malware as default app for SMS (McAfee)

The fake Chrome app also asks the user to set itself as the default SMS app, claiming that doing so will help prevent spam.

The pop-up messages used in this step are available in English, Korean, French, Japanese, German, and Hindi, which indicates XLoader's current targets.

Code to create the pop-up messages
Code to create the pop-up messages (McAfee)

Malware's operation

XLoader's recent iteration creates notification channels to perform custom phishing attacks on the device.

It extracts phishing messages and landing URLs from Pinterest profiles, likely to evade detection from security tools monitoring for suspicious traffic sources.

Pinterest profile hosting the phishing message and URL
Pinterest profile hosting the phishing message and URL (McAfee)

Also, using Pinterest enables attackers to switch phishing destinations and messages on the fly without risking sending an update to the malware on the device.

If that fails, XLoader reverts to using hardcoded phishing messages that alert the user to a problem with their bank account that requires them to take action.

Additionally, the malware can execute a wide array of commands (20 in total) received from its command and control (C2) server via the WebSocket protocol.

The most important XLoader commands are:

  • get_photo: Transmits all photos to the control server, risking significant privacy breaches.
  • getSmsKW: Sends all SMS messages to the control server, risking privacy by potentially exposing sensitive information.
  • sendSms: Allows the malware to send SMS messages, spreading the malware or enabling phishing by impersonation.
  • gcont: Exports the entire contacts list to the control server, risking privacy breaches and enabling targeted phishing.
  • getPhoneState: Collects device identifiers (IMEI, SIM number, Android ID, serial number), allowing tracking.
  • http: Facilitates sending HTTP requests for downloading malware, data exfiltration, or C2 communication.

Since its appearance in the mobile threat scene in 2015, XLoader has consistently evolved its attack methodologies, enhancing its stealth capabilities and effectiveness.

McAfee warns that XLoader's newest variants can be particularly effective as they require minimal user interaction.

Considering that the malware hides under the guise of Chrome, McAfee suggests using a security product that can scan the device and uproot those threats based on known indicators.

Update 2/9 - Android devices with Google Play Services are protected against this malware type by Play Protect, which is on by default.

Related Articles:

New Medusa malware variants target Android users in seven countries

Over 90 malicious Android apps with 5.5M installs found on Google Play

Finland warns of Android malware attacks breaching bank accounts

Rafel RAT targets outdated Android phones in ransomware attacks

Snowblind malware abuses Android security feature to bypass security