3. Xavier: Android Information Stealer
Original Issue Date:- June 27, 2017
Virus Type:- Trojan
It has been reported that the variants of the new information stealing android malware named "Xavier" is
spreading. The malware is embedded in various generic utilities hosted on Google Play store in the form of ad library SDK. The applications embedded with this ad library include apps such as photo
manipulators, wallpapers or ringtone changers etc.
The malware is capable of performing the following functions:
• Steals and leaks user's information/data from the infected device.
• Makes remote network connections to exchange data to and from the remote server.
• Download codes from remote server that enables successful execution of the malicious code.
• Capable of detecting emulated environments.
• Protect itself from being detected by using features such as string encryption, internet data encryption etc.
• Capable of escaping static and dynamic analysis.
• It has dynamic malicious behaviour which depends on the codes downloaded from the remote server.
One of the sample applications which is embedded with Xavier ad library is shown below:
Aliases:
ANDROIDOS_XAVIER.AXM(TrendMicro)
Indicators of compromise:
Command and control server:
The malware embedded in the apps make network connections to the remote command and control server which is encrypted in the Xavier code. The C2 URLs referred:
• hxxps://api-restlet[.]com/services/v5/
• hxxps://api-restlet[.]com/ services/v5/rD
• hxxps://cloud.api-restlet[.]com/modules/lib.zip
The malware collects various device information and sends it to the above mentioned c2 server in an encrypted manner. The information collected includes manufacturer, source, simcard country, product, publisher_id, simcard operator, service id, language, resolution, model, osversion, Device name, Device
Countermeasures:
• Prior to downloading / installing apps on android devices (even from Google Play Store):
o Alwars review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
o Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
• Install and maintain updated antivirus solution on android devices.
• Scan the suspected device with antivirus solutions to detect and clean infections.
• If the device is infected un-install malicious app.
• Maintain regular backup of device.
• Do not download and install applications from untrusted sources. Install applications downloaded from reputed application market only.
• Do not click on banners or popup or ads notifications.
• Turn on 2-factor authentication for your Google/other account.
• Run a full system scan on device with mobile security solution or mobile antivirus solution.
• Install Android updates and patches as and when available from Android device vendors.
• Use device encryption or encrypting external SD card feature available with most of the android OS.
• Users are advised to monitor device battery usage and Data usage including application wise usage.
• Use Android Device Manager to locate, remotely lock, or erase your device.
• Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
• Make a practice of taking regular backup of android device.
References:
• http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-xavier-information-stealing-ad-library-android/
• https://documents.trendmicro.com/assets/appendix--analyzing-xavier-an-information-stealing-ad-library-on-android.pdf
