4

I just read about the Xavier malware that has apparently "infected" some apps on the Google Play Store.

As usual when there are news like this, they dumb it down to a level that most people can relate to, using terms like "infected with" etc. Some newspapers make it sound as though there is a virus running amok in the Play Store, "infecting" apps one by one, which I find highly unlikely! The article I linked to does seem to indicate that the malware is actually a third party ad library used by the affected apps.

I'm a developer myself, and I don't really get how an app could be "infected by" a library. A library is something you actively choose to include in your app because it provides functionality that you want. Do they mean that the library maker purposely included malicious code in their ad library, or was the library somehow "infected" by some unknown actor?

Magnus
  • 213
  • 1
  • 5
  • 1
    the library maker purposely included malicious code in their ad library – dandavis Jun 16 '17 at 14:50
  • It _is_ possible for malware on a developer's machine to detect that a program is being compiled and inject some other malware into it. Not likely (there's lower-hanging fruit for most attackers), and apparently not what happened here, but possible. – Jeffrey Bosboom Oct 16 '17 at 21:19

2 Answers2

1

Here is a link to Trend Micro's analysis of it. Looks the library is intentionally used in the apps rather than them being "infected". I think the apps' primary purpose is to deliver the malware.

From the article, the thing that jumps out at me most is the following: "...it comes with an embedded malicious behavior that downloads codes from a remote server, then loads and executes it. Second, it goes to great lengths to protect itself from being detected through the use of methods such as String encryption, Internet data encryption, and emulator detection."

Three things that make it dangerous: 1.) It can encrypt the traffic between it and it's command & control servers. 2.) It can download and execute code from said servers. 3.) It evades detection. The fact that it can remotely download and execute code (think: updates that change it's behavior), encrypts it's traffic so no one knows what it sends back, and tries to evade detection tell me that it is designed to do something more nefarious later

http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-xavier-information-stealing-ad-library-android/

GroundRat
  • 136
  • 3
  • Thanks! But what does Xavier actually _do_? The article goes into great detail of how it works, but it seems all it does is collect some information about the device and the user, like email address. I mean, it's clearly crossing the line, but the headlines make it sound like it's stealing your bank account numbers and passwords... – Magnus Jun 16 '17 at 16:16
  • From the article, the thing that jumps out at me most is the following: "...it comes with an embedded malicious behavior that downloads codes from a remote server, then loads and executes it. Second, it goes to great lengths to protect itself from being detected through the use of methods such as String encryption, Internet data encryption, and emulator detection." – GroundRat Jun 16 '17 at 19:22
  • 1
    Three things that make it dangerous: 1.) It can encrypt the traffic between it and it's command & control servers. 2.) It can download and execute code from said servers. 3.) It evades detection. The fact that it can remotely download and execute code (think updates that change it's behavior), encrypts it's traffic so no one knows what it sends back, and tries to evade detection tell me that it is designed to do something more nefarious later. – GroundRat Jun 16 '17 at 19:28
  • @GroundRat Could you edit your answer to improve it with the content of your comments? You could remove your comments after that. – A. Hersean Aug 16 '17 at 08:38
  • Done. Leaving comments so it doesn't look like the other guy is talking to himself – GroundRat Aug 17 '17 at 16:19
0

In this particular case, Xavier was developed exclusively to be a malicious ad library. Mostly, because it is far too sophisticated to be a hijacked library as it has too many layers of detection protection and elaborate approach. Its main threat is an ability to execute any remote commands and download/execute code remotely.

Only trusted ad libraries are recommended. You can always do a thorough research before using libraries in general, to confirm or deny your suspicions about it being malicious.

A "little bit" of a long shot here. Another way of infection is phishing. Lately, with Chrome and other add-ons being targeted by phishers, app developers are being phished out as well. Although it requires quite a sophisticated knowledge about the app and technologies used to make it, you can always push out a malicious update.

Josh Ross
  • 663
  • 3
  • 10