Security experts have discovered brand-new Android malware that launches without even requiring user input. However, the victim’s consent is still required for it to completely function and carry out the tasks for which it was intended.
Cybersecurity researchers from McAfee said they observed a new version of XLoader, a known Android malware variant that was used in the past to steal sensitive user information from victims in the US, UK, Germany, France, Japan, South Korea, and Taiwan. This new loader is distributed in the same manner as its predecessors – via an SMS message containing a shortened URL, leading to a website hosting the malicious .APK file.
However, the key difference comes after installation – the victim doesn’t need to run the new variant – it automatically launches, and stealthily at that. Google was already tipped off and is working on a fix: “While the app is installed, their malicious activity starts automatically,” McAfee said. “We have already reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version.”
Asking for permissions
But simply running the app will not suffice, as it still needs vital permissions to start stealing data. To trick the victims into granting them, the malware was given the name Chrome, but via Unicode strings – so the app’s font will look slightly off, which should be enough of a red flag. If that doesn’t ring any alarms, the permissions the app seeks should: it asks for the ability to send and access SMS content, and to be able to always run in the background.
As the pop-up messages asking for these permissions are available in English, Korean, French, Japanese, German, and Hindi, McAfee’s researchers believe these are also target countries.
Among other things, XLoader can steal people’s photos, send SMS messages, extract existing SMS messages to a third-party server, export contact lists, grab device identifiers, and more.