Malicious Android Ad Malware
Applications can be downloaded from the Google Play Store for free on an android and these apps can be downloaded millions of times but these apps have been found to have a malicious ad library that collects sensitive user data and can also perform dangerous operations.
The malicious ad library is known as dubbed Xavier, which was discovered in September 2016 and poses a threat to all android users.
Most free apps that are available on the Play Store contain ads that acts as a revenue source for their developers and the apps are integrated with Android SDK Ads Library so that it doesn’t affect the apps core functionality.
Trend Micro claims that the malicious ad library comes pre-installed on the applications and ranges from all sort of applications.
The previous version of Xavier only installed APKs silently on the targeted devices but in the dubbed Xavier the developer has integrated those features into more sophisticated ones such as:
- To escape from dynamic detection, Xavier detects if the system is running in an emulator and it also checks the devices Product Name, manufacturer, device brand, device name, device module, hardware name or fingerprint across a wide range of strings specified within the malware
- The behavior of the malware is also hidden by cross-referencing the email address of the user with certain strings
Some features that the malware incorporates to avoid detection:
- Encrypts all constant strings to avoid static detection and manual analysis
- Data is encrypted and is transmitted via HTTPS
- Hides behavior depending on the environment it is running on
Best practices to avoid it:
- Do not download applications from unknown sources
- Look out for user views when downloading applications from the Play Store
- Updating and patching devices to keep the malware away
Security Products that can help:
- Trend Micro Mobile Security for Android and can be downloaded from the Google Play Store
- Trend Micro Mobile Security for Enterprise