Xavier Android Ad Malware Steals User Data Then Plays Hide And Seek

Android Malware
Here’s the thing about most types of mobile malware in the wild; they’re avoidable. That doesn’t mean, however, if you’re not paying attention--and especially if you’re the type that likes to customize things as the Android platform is so capable of--that you might not stumble into some nasty code deplorables. Such is the case with a new, very sneaky strain of Android ad malware that has been downloaded to literally millions of devices globally, though predominantly in Southeast Asia. AndroidOS_Xavier_AXM, or Xavier for short, as it is more commonly known, is a tricky little payload that has been up on the Google Play store hiding in over 800 applications and downloaded millions of times. Its data mining and device exploitation are disturbing to be sure but its stealthy methods of avoiding detection may be downright alarming.

Trend Micro recently unearthed Xavier, an ad library that was discovered by the company’s Reputation Service. This malware is not only capable of downloading and executing additional malicious code from a remote server, but also is tenacious enough to hide itself from detection via data encryption and even emulator detection. The malware is also capable of downloading and installing other APKs and can do so completely without detection if your smartphone is rooted.

Xavier Malware-Infected App Example
An Example Of A Xavier Malware-Infected App

Regardless, once the malware is on the target device it can transmit both device information and personally-identifiable user information such as email addresses, user login names, etc. The Trend Micro alert offers a list of known apps here that contain the Xavier malware (PDF, starting page 3). If you’ve downloaded one of these apps, we’d suggest removing it ASAP and if possible, after backing up your data, performing a factory reset on your phone.

Apps associated with the malware range from photo editing, to wall paper and ringtone apps. It’s a wide swath of popular Android add-on software, actually. If your phone isn’t rooted or set to allow “apps from unknown sources” in Android, you should be relatively safe from Xavier's targeted 3rd party payload downloads. However, if you like to run things a bit more custom and open, better check what’s on your device, just to be sure. 

Image, courtesy: Flickr user portal gda