You are currently offline

XLoader Android Malware Emerges with Autonomous Execution Capability, Linked to Roaming Mantis Threat Actor

A recent iteration of the XLoader Android malware has surfaced, featuring an alarming capability to autonomously execute on infected devices, without requiring any user interaction to trigger its operation.

Known as XLoader or MoqHao, this Android malware is believed to be operated and potentially crafted by a financially motivated threat actor referred to as 'Roaming Mantis.' Previously, this threat actor targeted users across various countries including the U.S., U.K., Germany, France, Japan, South Korea, and Taiwan.

Typically, attackers distribute this malware through SMS text messages containing a (shortened) URL directing users to a website hosting an Android APK installation file for a mobile app.

Researchers at McAfee have observed recent variants of XLoader showcasing the ability to automatically launch post-installation. This enables the malware to discreetly operate in the background, clandestinely harvesting sensitive user data among other malicious activities.

The infection chain begins with the installation of the malicious app, which initiates its malicious operations automatically. This behavior has been reported to Google by McAfee, prompting action to implement mitigations in future Android versions.

To further camouflage the malicious app, Roaming Mantis employs Unicode strings to disguise the APKs as legitimate software, notably masquerading as the Chrome web browser.

Once installed, the fake Chrome app prompts users to grant risky permissions such as accessing SMS content and running continuously in the background by circumventing Android's Battery Optimization. Additionally, users are misled into setting the malware as the default SMS app under the guise of preventing spam.

The phishing messages and landing URLs are extracted from Pinterest profiles, providing flexibility to switch phishing destinations and messages without updating the malware on the device. In cases of failure, XLoader resorts to using hardcoded phishing messages related to bank account issues to manipulate users into taking action.

Furthermore, XLoader is capable of executing a range of commands received from its command and control (C2) server, including transmitting photos, retrieving SMS messages, sending SMS messages, extracting contact lists, collecting device identifiers, and facilitating HTTP requests for downloading malware or data exfiltration.

Since its emergence in 2015, XLoader has continuously evolved its attack techniques, improving its stealth capabilities and operational efficiency. McAfee underscores the potency of XLoader's latest variants, which demand minimal user interaction for propagation.


Given its disguise as Chrome, McAfee advises utilizing a security product equipped to scan and eliminate such threats based on known indicators.

A recent iteration of the XLoader Android malware has surfaced, featuring an alarming capability to autonomously execute on infected devices
A recent iteration of the XLoader Android malware has surfaced, featuring an alarming capability to autonomously execute on infected devices

blank

blank strive to empower readers with accurate insightful analysis and timely information on a wide range of topics related to technology & it's impact

Post a Comment (0)
Previous Post Next Post