Researchers have uncovered a new variant of the XLoader Android malware, identified as MoqHao, which now boasts the capability to autonomously initiate on infected devices without any user input. This advanced version of XLoader is the brainchild of a cybercriminal group known as ‘Roaming Mantis.’ This group, driven by financial motives, has previously orchestrated attacks targeting users across a diverse geographic landscape including the U.S., U.K., Germany, France, Japan, South Korea, and Taiwan.
The primary distribution mechanism for XLoader involves phishing SMS messages containing a shortened URL. This URL redirects the recipient to a website from where an Android Package Kit (APK) file, masquerading as a legitimate mobile application, can be downloaded and installed.
McAfee’s cybersecurity researchers, who are partners of the Android App Defense Alliance, have observed that the latest iterations of XLoader possess the ability to auto-launch post-installation. This functionality enables the malware to operate covertly, facilitating the theft of sensitive information from the background.
Infection Process Enhancements
Roaming Mantis has adeptly employed Unicode strings to camouflage its malicious APKs as innocuous, reputable applications, notably impersonating the Chrome web browser. This deceit plays a crucial role in convincing users to grant the malware extensive permissions, including SMS access and the ability to persistently run in the background, exempt from Android’s Battery Optimization protocols. Furthermore, the malware attempts to persuade users to set it as the default SMS application under the guise of spam prevention.
The malware’s linguistic versatility, with pop-up messages available in multiple languages including English, Korean, French, Japanese, German, and Hindi, highlights the broad spectrum of its target demographics.
Malware Functionality and Phishing Tactics
The updated XLoader variant utilizes notification channels to orchestrate custom phishing attacks, extracting phishing content and URLs from Pinterest profiles—a strategy likely designed to bypass security monitoring. This approach also allows for dynamic updates to phishing campaigns without the need to modify the malware directly. In scenarios where Pinterest-based phishing is unfeasible, the malware resorts to hardcoded messages that prompt users to address fictitious banking issues.
XLoader’s functionality extends to executing a diverse set of commands (20 in total) from its command and control (C2) server through WebSocket communications. These commands enable the malware to exfiltrate photos, SMS messages, and contact lists; send SMS messages for further propagation or phishing; and collect device identifiers for tracking purposes.
Evolution and Mitigation
Since its initial identification in 2015, XLoader has continually evolved, enhancing both its stealthiness and operational efficiency. The latest variants, requiring minimal user interaction, pose a significant threat. Given its disguise as a Chrome application, McAfee emphasizes the importance of utilizing security solutions capable of detecting and neutralizing such threats based on established indicators.
In light of these developments, McAfee has alerted Google about this auto-launch mechanism, prompting the development of countermeasures in upcoming Android versions to thwart such exploits.