A recent discovery by researchers from McAfee has unveiled a new Android backdoor malware named ‘Xamalicious,’ infecting approximately 338,300 devices through malicious apps on the Google Play Store. The malware was identified in 14 affected apps, three of which had already amassed 100,000 installs each before being removed from the Google Play Store. Although these apps are no longer visible in the Play Store, users who may have inadvertently installed them are urged to delete them immediately.

Despite the removal of the affected apps from the app store, users who installed them since mid-2020 may still have active Xamalicious infections on their devices. As a precautionary measure, users are advised to manually clean up their devices by checking for unwanted apps or any suspicious settings. If anything appears questionable, it should be promptly removed from the smartphone.

Some of the widely installed Xamalicious-affected Android apps include:

– Essential Horoscope for Android (100,000 installs)

– 3D Skin Editor for PE Minecraft (100,000 installs)

– Logo Maker Pro (100,000 installs)

– Auto Click Repeater (10,000 installs)

– Count Easy Calorie Calculator (10,000 installs)

– Dots: One Line Connector (10,000 installs)

– Sound Volume Extender (5,000 installs)

In addition to the apps on Google Play, another group of 12 malicious apps carrying the Xamalicious threat is circulating on unauthorized third-party app stores, impacting users through APK file downloads, as reported by ANI.

Notably, Xamalicious is an Android backdoor that stands out for being based on the.NET framework and integrated into apps developed using the open-source Xamarin framework. This characteristic poses a heightened challenge for cybersecurity experts engaged in code analysis. Upon installation, Xamalicious seeks access to the Accessibility Service, allowing it to execute privileged operations such as navigation gestures, concealing on-screen elements, and obtaining additional permissions.

After installation, the malware communicates with a Command and Control (C2) server to retrieve the second-stage DLL payload (‘cache.bin’). This retrieval is contingent on meeting specific criteria, including geographical location, network conditions, device configuration, and root status.

OnePlus Ace 3 Teases Flagship-Tier OLED Display

Android users are strongly advised to inspect their devices for any signs of Xamalicious infections, even if they have uninstalled the implicated apps. It is recommended to use reliable antivirus software for manual cleanup, and regular device scanning is encouraged to ensure protection against such malware threats.