More malicious Android apps infect thousands of phones in Australia


Cybersecurity company McAfee has identified a previously unknown Android backdoor named Xamalicious, that has impacted over 340,000 devices through malicious apps available on Google Play, Android’s official mobile app store.

McAfee’s investigation revealed the presence of 14 infected apps on Google Play, with three of them accumulating a substantial 100,000 installs each.

Despite their subsequent removal by Google, users who installed these apps from mid-2020 until early-2023 are still harbouring active Xamalicious infections, including in Australia, necessitating manual scans and cleanup efforts.

Watch the latest News on Channel 7 or stream for free on 7plus >>

The most popular among the infected apps include Essential Horoscope for Android, 3D Skin Editor for PE Minecraft, and Logo Maker Pro, each boasting 100,000 installations.

Other affected apps include Auto Click Repeater, Count Easy Calorie Calculator, Dots: One Line Connector and Sound Volume Extender.

Count Easy Calorie Calculator and Dots: One Line Connector apps have been infected with the Xamalicious malware. According to McAfee, Cash Magnet is an ad-fraud scheme app. Credit: McAfee

In addition to the Google Play infiltration, a separate set of 12 malicious apps carrying the Xamalicious threat has been identified on unofficial third-party app stores, infecting users via downloadable APK (Android package) files. Unfortunately, specific download statistics for these apps are not available by McAfee.

According to McAfee’s data, the majority of infections have been reported in the United States, Germany, Australia, Spain, Brazil, Mexico, Argentina and the United Kingdom.

Xamalicious infections have been found around the world, including in Australia. Credit: McAfee

The most popular apps are:

  • 3D Skin Editor for PE Minecraft – 100,000 installs
  • Essential Horoscope for Android – 100,000 installs
  • Logo Maker Pro – 100,000 installs
  • Dots: One Line Connector – 10,000 installs
  • Count Easy Calorie Calculator – 10,000 installs
  • Auto Click Repeater – 10,000 installs
  • Sound Volume Extender – 5000 installs

Understanding Xamalicious: A stealthy Android backdoor

Xamalicious is an Android backdoor embedded within apps developed using the open-source Xamarin framework, which makes the analysis of its code more challenging.

Once installed, Xamalicious requests access to the Accessibility Service of your phone, granting it the ability to perform privileged actions such as navigation gestures, hiding on-screen elements and self-permission grants.

The malware communicates with a command and control (C2) server to download an additional file if specific prerequisites related to geographical location, network, device configuration and root status are met.

Capable of executing various commands, Xamalicious gathers device and hardware information, determines the device’s geographic location, identifies emulators, checks root status, lists installed apps, reports accessibility service permissions and connects to a remote server to download additional files.

McAfee has also uncovered links between Xamalicious and an ad-fraud app called Cash Magnet, suggesting that the backdoor may engage in ad fraud activities, impacting your phone’s performance and network bandwidth.

While Google Play implements measures to combat malware, including initiatives such as the App Defense Alliance, unofficial platforms lack such stringent controls.

Android users are advised to refrain from downloading apps from third-party sources, stick to essential apps, read user reviews before installation and thoroughly vet app developers and publishers.

Full package names for the infected apps can be found on the McAfee website.

Posted in 1

Leave a Reply

Your email address will not be published. Required fields are marked *