Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space SECUREPC space Facebook space Twitter
WLine
csk
Line
Full Member FIRST
Line
Full Member APCERT
Line
Global Research Partner APWG
Line
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Press  
Line
point point Recruitment NEW
Line
point point Tender  NEW
Line
point point Download Brochure
Line
point Subscribe Mailing List
Line
point Contact Us
Line
Reporting
point
 Incident Reporting
Line
Vulnerability Reporting
Line
Feedback
Line
KnowledgeBase
Line
Point Guidelines
Line
Point Presentations
Line
Point White Papers 
Line
Point Monthly Security Bulletin 
Line
point Point Annual Report 
Line
Line
Line
line
Line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point Security Sites
line
point Security Tools
line
point Antivirus Resources
line
FAQ
line
Archive
line
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - Virus AlertsPrint
point

VIRUS ALERTS

Xavier: Android Information Stealer

Original Issue Date:June 27, 2017

Virus Type: Trojan

It has been reported that the variants of the new information stealing android malware named "Xavier" is spreading. The malware is embedded in various generic utilities hosted on Google Play store in the form of ad library SDK. The applications embedded with this ad library include apps such as photo manipulators, wallpapers or ringtone changers etc.

The malware is capable of performing the following functions:
  • Steals and leaks user¿s information/data from the infected device.
  • Makes remote network connections to exchange data to and from the remote server.
  • Download codes from remote server that enables successful execution of the malicious code.
  • Capable of detecting emulated environments.
  • Protect itself from being detected by using features such as string encryption, internet data encryption etc.
  • Capable of escaping static and dynamic analysis.
  • It has dynamic malicious behaviour which depends on the codes downloaded from the remote server.
One of the sample applications which is embedded with Xavier ad library is shown below:

Aliases: ANDROIDOS_XAVIER.AXM(TrendMicro),

Indicators of compromises

Command and control server:

The malware embedded in the apps make network connections to the remote command and control server which is encrypted in the Xavier code. The C2 URLs referred:
  • hxxps://api-restlet[.]com/services/v5/
  • hxxps://api-restlet[.]com/ services/v5/rD
  • hxxps://cloud.api-restlet[.]com/modules/lib.zip
The malware collects various device information and sends it to the above mentioned c2 server in an encrypted manner. The information collected includes manufacturer, source, simcard country, product, publisher_id, simcard operator, service id, language, resolution, model, osversion, Device name, Device id, Installed apps, Android id, Email Address.

Note: For complete list of indicators of compromise, kindly refer to the references sections.

Countermeasures:
  • Prior to downloading / installing apps on android devices (even from Google Play Store):
    • Alwars review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
    • Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
  • Install and maintain updated antivirus solution on android devices.
  • Scan the suspected device with antivirus solutions to detect and clean infections.
  • If the device is infected un-install malicious app.
  • Refer to security best practices for mobile Phone users:
    http://www.cyberswachhtakendra.gov.in/documents/Mobile_phone_Security.pdf
  • Install Android updates and patches as and when available from Android device vendors
  • Install and maintain updated mobile security/antivirus solution
  • Do not check "Untrusted Sources" checkbox to install side loaded apps.
  • Enable 2-factor authentication for your Google/other accounts.
  • Exercise caution while visiting trusted/untrusted sites for clicking links.
  • Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS
  • Users are advised to keep an eye on Data usage (application wise usage also) and unusual increase in mobile bills
  • Users are advised to keep an eye on device battery usage (application wise usage also)
  • Use Android Device Manager to locate, remotely lock, or erase your device
  • Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
  • Make a practice of taking regular backup of android device.

References

http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-xavier-information-stealing-ad-library-android/
https://documents.trendmicro.com/assets/appendix--analyzing-xavier-an-information-stealing-ad-library-on-android.pdf

 

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email:info@cert-in.org.in
Phone: +91-11-24368572
Postal Address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On April 26, 2018