The best Android phones are once again under attack from malware and this time, a previously unknown backdoor has been used to infect over 300,000 smartphones.
The good news is that the bad apps in question have since been removed from Google’s official Android app store. However, the cybercriminals behind this campaign are also using a separate set of 12 malicious apps on unofficial third-party app stores to spread the Xamalicious malware. These apps need to be sideloaded onto your smartphone though as they are installed via an APK file.
Here’s everything you need to know about this new Android malware strain along with some tips and tricks on how you can stay safe from malicious apps.
Reader Offer: Save 68% on Aura identity theft protection
Aura provides everything you need to protect your identity, data and devices online with malware protection, a password manager and a VPN all included. Tom's Guide readers can save up to 68% when they sign up.
Preferred partner (What does this mean?)
Delete these apps right now
As I mentioned before, all of the apps listed below have been removed from the Google Play Store. However, if you have any of them installed on your Android smartphone or tablet, you’re going to need to manually remove them. Here are the most popular malicious apps that contain the Xamalicious malware:
- Essential Horoscope for Android – 100,000 installs
- 3D Skin Editor for PE Minecraft – 100,000 installs
- Logo Maker Pro – 100,000 installs
- Auto Click Repeater – 10,000 installs
- Count Easy Calorie Calculator – 10,000 installs
- Dots: One Line Connector – 10,000 installs
- Sound Volume Extender – 5,000 installs
Although some of these malicious apps are newer, McAfee points out in a blog post that variants of them have been distributed on the Play Store since mid-2020. This means that you may have accidentally installed one of them onto your Android device years ago without realizing it. As such, you should go to Settings and then Apps to look through your list of All Apps just to be safe. It’s a good idea to do this from time to time as limiting the number of apps on your phone can also help you stay safe from mobile malware.
Adding a backdoor to your Android smartphone
Xamalicious is a .NET-based Android backdoor which can be embedded in any app developed using the open-source Xamarin framework. This also makes analyzing the malicious code these apps contain more difficult.
When one of the malicious apps listed above is installed on an Android smartphone, it first requests access to the operating system’s Accessibility Service. If a user does grant this access, it allows for the malware to perform a number of privileged actions on an infected smartphone such as navigation gestures, hiding on-screen elements and even granting itself additional permissions.
From here, the malware uses a hacker-controlled command and control (C2) server to download a second-stage payload but only after certain prerequisites are met. Xamalicious has a number of capabilities including the ability to gather device info, geographic location data, root info and more.
According to McAfee, the cybersecurity firm’s researchers have also found links between the malware and an ad-fraud app called “Cash Magnet” that automatically clicks on ads and installs adware on a victim’s smartphone. Besides hurting businesses, ad fraud can slow down your smartphone’s performance, eat up your mobile data and wear down your battery, all in the background without your knowledge.
How to stay safe from malicious Android apps
When it comes to protecting yourself from malicious apps, the first and most important thing you can do is to be extra careful when downloading and installing any new app. You want to look closely at an app’s rating and reviews in the Play Store but since these can be faked, you should also look at external reviews as well and video reviews are especially useful here since they show the app in question in action.
At the same time, you also want to avoid sideloading apps, despite how fast and convenient installing an app using an APK file can be. These apps from unofficial third-party app stores don’t go through the same rigorous security checks that apps on official stores do and as such, they could contain malware. This is why you want to stick to official Android app stores like the Google Play Store, Samsung Galaxy Store or the Amazon Appstore.
To keep your data and devices safe, you should also be using one of the best Android antivirus apps on your smartphone. If you’re on a tight budget though, Google Play Protect also scans all of the new apps you download as well as your existing apps for malware. It’s completely free and comes pre-installed on most Android smartphones.
In a statement to Tom's Guide, a Google spokesperson provided further details on how Google Play Protect can help keep you safe from malicious apps, saying:
"Google Play Protect, the on-device malware protection on Android devices with Google Play Services, protects users from this malware both on and off-Play. If a user already had one of these apps known to contain the malware installed, the user received a warning and it was automatically uninstalled from their device. If a user tries to install an app with this identified malware, they'll get a warning and the app will be automatically blocked from being installed."
Malicious apps have proven to be quite successful for hackers and other cybercriminals which is why they likely won’t be going anywhere anytime soon. For this reason, it’s up to you to carefully check and review any new app before you install it onto your devices.
More from Tom's Guide
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.