Rewterz Threat Update – Android XLoader Malware Can Now Execute Automatically upon Installation

Severity

High

Analysis Summary

A new version of the Android malware XLoader, operated by the financially motivated threat actor ‘Roaming Mantis,’ has been discovered. Unlike previous iterations, this variant automatically executes upon device infection, bypassing the need for user interaction. XLoader is distributed via SMS containing URLs to malicious Android APK installation files. Recent variants demonstrate the ability to run stealthily in the background, siphoning sensitive user information.

“We have already reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version,” researchers mentioned.

To evade detection, XLoader disguises itself using Unicode strings, impersonating legitimate software like the Chrome browser. Once installed, it requests risky permissions such as accessing SMS content and running in the background, often masquerading as a Chrome update. It employs pop-up messages in multiple languages to target a wide range of users.

The malware creates notification channels for custom phishing attacks, extracting messages and URLs from Pinterest profiles to avoid detection. It can also execute various commands received from its command and control server via the WebSocket protocol. These commands include collecting photos, SMS messages, contact lists, device identifiers, sending SMS messages, and performing HTTP requests.

XLoader’s continuous evolution since 2015 has enhanced its stealth capabilities and effectiveness. Researchers warns that the latest variants, requiring minimal user interaction and hiding under the guise of Chrome, can be particularly effective. To combat this threat, users are advised to utilize security products capable of scanning for known indicators of such malware.

Impact

• Financial Loss
• Unauthorized Access
• Sensitive Information Theft

Remediation

• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Employ a reputable and up-to-date mobile security solution that can detect and remove malware.
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Review the permissions granted to installed apps on your device. Be cautious about granting unnecessary or excessive permissions, especially for apps that request access to sensitive data or features.
• Prioritize patching known exploited vulnerabilities and zero-days. Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Do not open emails and attachments from unknown or suspicious sources.
• Regularly back up important data on your device to an external source or cloud storage.