Trend Micro Incorporated recently discovered a Trojan Android Malware called Xavier that steals and leaks a user’s information silently. Xavier’s impact has been widespread. Based on data from Trend Micro Mobile App Reputation Service, Trend Micro detected more than 800 applications embedded with Xavier have been downloaded millions of times from Google Play Store. These applications range from utility apps such as photo manipulators to wallpaper and ringtone changers. Trend Micro also provides multilayered mobile security solutions to protect users from this threat.
Trend Micro found that Xavier comes with some notable features that differentiate it from the other malwares. First, it comes with an embedded malicious behaviour that downloads codes from a remote server, then loads and executes it. Second, it goes to great lengths to protect itself from being detected through the use of methods such as String encryption, Internet data encryption, and emulator detection.
Xavier’s stealing and leaking capabilities are difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis. Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware. Xavier’s behaviour depends on the downloaded codes and the URL of codes, which are configured by the remote server. To avoid detection, Xavier encrypts all constant strings, making static detection and manual analysis more difficult. It performs net transmission via HTTPS to prevent its traffic from being caught and will hide its behaviour based on the running environment.
The greatest number of download attempts came from countries in Southeast Asia such as Vietnam, Philippines, and Indonesia, with fewer downloads from the United States and Europe. Xavier is a member of the AdDown family, which has existed for over two years. The first version, called joymobile, appeared in early 2015. This variant was already capable of remote code execution. The variant known as Xavier emerged sometime in September 2016 with a more streamlined code. The first version of Xavier removed APK (Android Package Kit) installation and root checking, but added data encryption with the TEA algorithm.