Trend Micro researchers spotted more than 800 Android applications available on the Google Play Store embedded with the software development kit (SDK) of the information-stealing ad library dubbed “Xavier.”
The Trojan is designed to steal and leak a user's information silently and so far has been downloaded millions of times, according to a 13 June blog post. So far, approximately 75 apps have since removed the Trojan from their code.
The majority of downloads came from countries in Southeast Asia such as Vietnam (23.27 percent), Philippines (19.14 percent), and Indonesia (8.23 percent), with fewer downloads from the US and Europe.
Unique features of the Trojan include its embedded malicious behaviour that downloads codes from a remote server and the great lengths to it goes to protect itself from being detected through the use of methods such as String encryption, internet data encryption, and emulator detection, researchers said in the post.
Xavier is difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis and also uses encryption, internet data encryption, and emulator detection. The Trojan also has the ability to download and execute other malicious codes making it even more dangerous.
The malware family has been around for more than two years and is a member of the AdDown family. The latest version has since evolved to use a more timed code structure, remove APK installation, remove root check, encryption data with TEA and added mechanism to escape dynamic detection.
Researchers said the best way to avoid infection of malware hiding in trusted sources, such as Google Play, is to pay attention to the reviews and not download or install applications from unknown sources.