|
 |
|
 |
Full Member
|
|
|
 |
Full Member
|
|
|
 |
Global Research Partner
|
|
|
 |
|
|
|
|
|
Home - Virus Alerts |  |
 |
VIRUS ALERTS
Xavier: Android Information Stealer
Original Issue Date:June 27, 2017
Virus Type: Trojan
It has been reported that the variants of the new information stealing android malware named "Xavier" is spreading. The malware is embedded in various generic utilities hosted on Google Play store in the form of ad library SDK. The applications embedded with this ad library include apps such as photo manipulators, wallpapers or ringtone changers etc.
The malware is capable of performing the following functions:
- Steals and leaks user¿s information/data from the infected device.
- Makes remote network connections to exchange data to and from the remote server.
- Download codes from remote server that enables successful execution of the malicious code.
- Capable of detecting emulated environments.
- Protect itself from being detected by using features such as string encryption, internet data encryption etc.
- Capable of escaping static and dynamic analysis.
- It has dynamic malicious behaviour which depends on the codes downloaded from the remote server.
One of the sample applications which is embedded with Xavier ad library is shown below:

Aliases: ANDROIDOS_XAVIER.AXM(TrendMicro),
Indicators of compromises
Command and control server:
The malware embedded in the apps make network connections to the remote command and control server which is encrypted in the Xavier code. The C2 URLs referred:
- hxxps://api-restlet[.]com/services/v5/
- hxxps://api-restlet[.]com/ services/v5/rD
- hxxps://cloud.api-restlet[.]com/modules/lib.zip
The malware collects various device information and sends it to the above mentioned c2 server in an encrypted manner. The information collected includes manufacturer, source, simcard country, product, publisher_id, simcard operator, service id, language, resolution, model, osversion, Device name, Device id, Installed apps, Android id, Email Address.
Note: For complete list of indicators of compromise, kindly refer to the references sections.
Countermeasures:
- Prior to downloading / installing apps on android devices (even from Google Play Store):
- Alwars review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
- Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
- Install and maintain updated antivirus solution on android devices.
- Scan the suspected device with antivirus solutions to detect and clean infections.
- If the device is infected un-install malicious app.
- Refer to security best practices for mobile Phone users:
http://www.cyberswachhtakendra.gov.in/documents/Mobile_phone_Security.pdf
- Install Android updates and patches as and when available from Android device vendors
- Install and maintain updated mobile security/antivirus solution
- Do not check "Untrusted Sources" checkbox to install side loaded apps.
- Enable 2-factor authentication for your Google/other accounts.
- Exercise caution while visiting trusted/untrusted sites for clicking links.
- Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS
- Users are advised to keep an eye on Data usage (application wise usage also) and unusual increase in mobile bills
- Users are advised to keep an eye on device battery usage (application wise usage also)
- Use Android Device Manager to locate, remotely lock, or erase your device
- Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
- Make a practice of taking regular backup of android device.
References
http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-xavier-information-stealing-ad-library-android/
https://documents.trendmicro.com/assets/appendix--analyzing-xavier-an-information-stealing-ad-library-on-android.pdf
Disclaimer
|
|
The information provided herein is on "as is" basis, without warranty of any kind.
|
|
Contact Information
|
|
Email:info@cert-in.org.in
Phone: +91-11-24368572
|
|
Postal Address
|
|
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|
|
|
|
|
|
|
|