After Judy, a new Trojan-based malicious code Xavier has been discovered in more than 800 applications on Google Play Store. According to TrendLabs Security Intelligence – which first detected the Trojan ad library – affected apps have been downloaded millions of times from Google Play. Most of these apps have been found to be utility apps such as photo manipulators, wallpaper, and ringtone changers.
Xavier has existed for over two years as its first version called joymobile appeared in early 2015, reported TrendLabs. Xavier isn’t easy to detect, neither via static or dynamic analysis. “In addition, Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware,” the report read.
Users in Southeast Asian countries like Vietnam, Philippines, and Indonesia made the highest number of download attempts, compared to a fewer in the US and Europe. About 23.27 per cent users in Vietnam have download the affected apps, while 19.14 per cent and 8.23 per cent attempts came from Philippines and Indonesia respectively. Thailand and Taiwan stand at 6.66 per cent and 5.36 per cent downloads respectively. Close to 37.34 per cent download attempts were made by users in other countries.
It is feared that Xavier is more widespread and dangerous when compared to Judy. To recall, Judy was found in over 41 apps on the Google Play Store, and it infected between 8.5 million to 36.5 million users. In comparison, Xavier has been discovered in over 800 apps, which means it is likely to put a lot more users at risk.
While Judy uses devices to create false clicks on ads to revenue for the people behind this, Xavier can easily download and execute other malicious codes as well. Xavier resorts to encrypting all constant string, and several other methods to make detection difficult. So, there’s not really an easy way to know if a user’s device has been affected by Xavier. However, the report points out that Xavier’s behavior depends on the downloaded codes and the URL of codes, which are configured by the remote server.
Debiprasad
No comments:
Post a Comment
Thanks!