Trend Micro has discovered a new Trojan malware that is pretty nasty. The security analysts identified the malware as “ANDROIDOS_XAVIER.AXM” or Xavier for short. It is an ad library that quietly sends user data to a remote server. What makes it so nasty is the methods it uses to cover its tracks and disguise its activities.
First of all, it comes embedded within relatively innocuous apps, like ringtone makers and photo editing apps. Most of these applications appear to be originating from Southeast Asia. Trend Micro has discovered over 800 different apps containing the malware which have been downloaded cumulatively millions of times from Google Play, so it is fairly widespread.
Another thing that makes the malware insidious is the way it is coded into the application. No overtly malicious code is used within the app, so no flags are raised when submitted for approval to the store. However, once installed the malware downloads malicious code from a covert server, which it can then execute. These actions can all happen in the background without the user’s knowledge or consent.
“[It] is [also] capable of installing other APKs, and it can do this silently if the device is rooted,” say the analysts.
An example of an app embedded with the Xavier malware
Xavier goes to great lengths to hide its presence and actions. It uses string encryption and internet data encryption to mask its communications. It also performs checks on the device to ensure that it is actually installed on a phone and not an emulator.
“Xavier’s stealing and leaking capabilities are difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis.”
If the malware detects that it is running on emulated hardware, it shuts down.
Once on the device, the malware can transmit various information about the phone and the user. Some of the information that it sends seems harmless at first such as equipment manufacturer, language, and country of origin. However, it is also capable of transmitting email addresses and other information as well.
Trend Micro did not have a full list of affected apps but did provide a list of “applications, which have been removed by Google as of publication,” including hashes.
The analysts suggest avoidance of apps from unknown sources as a primary precautionary measure. Trend Micro also has a Mobile App Reputation Service that you can use to scan apps by name to determine if it is trustworthy. There is also security apps from TM on the Google Play store that can be installed to protect your device from malware.