In the ever-evolving landscape of mobile security threats, a new XLoader malware, MoqHao, has emerged, posing a significant risk to Android users. This malware, operated by the financially motivated threat actor 'Roaming Mantis,' can now auto-execute after installation, requiring no user interaction. The implications are dire as it can stealthily operate in the background, compromising sensitive user information.

Auto-Execution and Stealthy Operations

Recent variants of XLoader can launch automatically after installation, as reported by McAfee, an Android's App Defense Alliance partner. This feature allows the malware to run undetected, making it even more dangerous than its predecessors. The auto-execution capability poses a severe threat as the malware operates silently, extracting sensitive data such as photos, text messages, contact lists, and hardware information without requiring input from the victim.

The malicious apps send permission requests pretending to come from Google Chrome, requesting permission to send and view SMS (text) messages and asking permission to keep "Chrome" running in the background. And the coup de grace is permission to make "Chrome" your default SMS app.

Once it gets all of these permissions, the malware is used to send photos, text messages, contact lists, and info on the hardware you are using (including your phone's unique IMEI number) to the control server. Yes, it is terrifying.

Infection Chain and Obfuscation Techniques

The infection chain typically starts with text messages containing shortened URLs that lead to sites delivering Android APK installation files. XLoader employs Unicode strings to disguise these malicious APKs, often mimicking legitimate software like the Chrome web browser.

Using Unicode strings aids in evading detection, making it challenging for users to differentiate between legitimate and malicious applications.

To further enhance its deceptive tactics, XLoader sends fake permission requests designed to appear as if they are coming from Google Chrome. Victims are tricked into granting permission to send and view SMS messages, run in the background, and even make 'Chrome' their default SMS app. The malware uses these permissions to exfiltrate sensitive user data to a control server.

The pop-up messages used in this step are available in English, Korean, French, Japanese, German, and Hindi, which indicates XLoader's current targets.

Also Read: AI Security Pact: US, UK, And Other Countries Sign 'Secure By Design' Agreement 

Evolution of XLoader Commands

XLoader's recent iteration introduces new commands, expanding its capabilities. The malware creates notification channels for custom phishing attacks, extracting messages and URLs from Pinterest profiles. This dynamic approach allows attackers to switch phishing destinations seamlessly. In case of failure, the malware resorts to hardcoded phishing messages related to banking issues, prompting users to take action.

The most critical XLoader commands include 'get_photo,' which transmits all photos to the control server, risking significant privacy breaches, and 'getSmsKW,' which sends all SMS messages to the control server, potentially exposing sensitive information.

The malware can also execute commands to send SMS messages, export the entire contacts list, collect device identifiers, and facilitate HTTP requests for downloading malware, data exfiltration, or communication with the command and control server.

Protection Measures

While the threat is severe, Android devices with Google Play Services are equipped with Google Play Protect, which offers protection against XLoader. It is crucial to keep devices updated and refrain from clicking on suspicious links, especially those received via text messages. Users are advised to avoid sideloading apps and grant app permissions cautiously.

The growing sophistication of the XLoader malware emphasizes how important it is to remain vigilant and put comprehensive security measures in place. Users must put cybersecurity first to safeguard their data and maintain the integrity of their equipment, particularly in light of the growing threat from mobile devices.

By updating devices regularly, exercising caution when granting permissions, and relying on reputable program suppliers, one can lessen the risks associated with sophisticated malware like XLoader.

Related Article: First-Ever Trojan In IOS Discovered, Stealing Face ID Data For Bank Account Intrusion