Mobile malware is not new to the Android platform, but Xavier is a little more clever. It downloads codes from a remote server, executes them, and uses a string encryption, Internet data encryption, emulator detection, and a self-protect mechanism to cover its tracks.
It is derived from AdDown, a family of malware that has been around for two years. But unlike most offshoots, Xavier features the troubling addition of encryption and a secure connection. Once it loads a file and obtains an initial configuration from a remote server, it detects, encrypts, and transmits information about the victim’s device — including the manufacturer, language, country of origin, installed apps, email addresses, and more — to a remote server.
According to Trend Micro, Xavier makes its remote capabilities tough to pin down by detecting whether it is running on an Android emulator, a type of software that mimics a device’s hardware components. It checks the device’s name, manufacturer, device brand, operating system version, hardware ID, SIM card operator, resolution, and does not run if it encounters an unexpected field.
Trend Micro’s analysis identified Xavier in apps from southeastern nations such as Vietnam, the Philippines, Indonesia, Thailand, Taiwan, and others, many of which appear to be innocuous on the surface. They range from utilities like photo editors to wallpaper and ringtone changers, and are typically free.
Trend Micro’s report follows the discovery of two other forms of Android malware earlier this year. In May, researchers at Check Point identified Judy, an auto-clicking adware which could have infected as many as 36.5 million Android devices. In March, Palo Alto Networks uncovered malware designed for Windows PCs in 132 apps on Google’s Play Store.
Google’s taking a proactive approach to the problem. The search giant has targeted security on Android over the past year, most recently with the introduction of the Google Play Protect platform. It says it has worked with 351 wireless carriers to shorten the time it takes to test security patches before deploying them to users — an effort that resulted in a reduction of the software approval process from six to nine weeks to just a week.
Google’s also doled out $1 million to independent security researchers and pursued an aggressive strategy of encryption. As of December, 80 percent of Android 7.x (Nougat) users secure their data with passwords, patterns, or PIN codes.
Adrian Ludwig, director of Android security at Google, pointed to social engineering — attacks that fool a user into installing an app that compromises his or her device’s security — as one of the biggest challenges facing app developers today. “People don’t want to think about security,” he told members of the press at the RSA conference in February. “They just want it to be that way.”
