Trend Micro Detects Xavier Android Malware in 800 Mobile Apps Downloaded from Play Store

Trend Micro discovered a Trojan Android Malware called Xavier that steals and leaks a user’s information silently. Xavier’s impact has been widespread. Based on data from Trend Micro Mobile App Reputation Service, Trend Micro detected more than 800 applications embedded with Xavier have been downloaded millions of times from Google Play Store. These applications range from utility apps such as photo manipulators to wallpaper and ringtone changers. Trend Micro also provides multilayered mobile security solutions to protect users from this threat.

Trend Micro found that Xavier comes with some notable features that differentiate it from the other malwares. First, it comes with an embedded malicious behaviour that downloads codes from a remote server, then loads and executes it. Second, it goes to great lengths to protect itself from being detected through the use of methods such as String encryption, Internet data encryption, and emulator detection.

Xavier’s stealing and leaking capabilities are difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis. Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware. Xavier’s behaviour depends on the downloaded codes and the URL of codes, which are configured by the remote server. To avoid detection, Xavier encrypts all constant strings, making static detection and manual analysis more difficult. It performs net transmission via HTTPS to prevent its traffic from being caught and will hide its behaviour based on the running environment.

“Updating and patching mobile devices will help keep malware that target vulnerabilities at bay. In addition, end users and enterprises can also look into multi-layered mobile security solutions such as Trend Micro™ Mobile Security for Android™, which is also available on Google Play. Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites, said Mr. Nilesh Jain, Country Manager (India and SAARC), Trend Micro.

He further added, “The easiest way to avoid a cunning malware like Xavier is to not download and install applications from an unknown source, even if they are from legitimate app stores like Google Play. Trend Micro also suggests users to read reviews from other users who have downloaded the applications. Other users can be a great source of insights, especially if they can point out whether a specific application exhibits suspicious behaviour.”

The greatest number of download attempts came from countries in Southeast Asia such as Vietnam, Philippines, and Indonesia, with fewer downloads from the United States and Europe. Xavier is a member of the AdDown family, which has existed for over two years. The first version, called joymobile, appeared in early 2015. This variant was already capable of remote code execution. The variant known as Xavier emerged sometime in September 2016 with a more streamlined code. The first version of Xavier removed APK (Android Package Kit) installation and root checking, but added data encryption with the TEA algorithm.