Xavier Malware hits Play Store, affects 800 apps

Sarang Avatar



These sure are testing time for Android users indeed. As if the news about JUDY Adware wasn’t enough, leading cybersecurity firm Trend Micro recently announced their discovery of a Trojan Android Ad library malware called Xavier wrecking havoc in Play Store.

The malicious ad library, emerged in September 2016 and is a member of AdDown malware family, potentially posing a severe threat to millions of Android users. To understand more about the malware, we must first delve into its workings and why it threatens the Android ecosystem.

What Exactly Is a Malware?

The question may seem redundant to most of our readers out there but the common user is unaware of such key concepts and refers to them all simply as ‘virus’. A malware is a software, specifically designed to disrupt, damage, or gain unauthorized access to a device/system.

The Xavier malware is capable of stealing and leaking sensitive information, such as email addresses and user login names. While the predecessors of Xavier, Joymobile and  Nativemob were rather simplistic adware, Xavier is much more advanced and discreet.

The malware seems to have been downloaded at least a million times. These are in lieu with both Google Play Store and third-party downloads.

What Makes Xavier Dangerous?

The previous variants were simply an adware with an added ability of installing other APKs discreetly on targeted devices. Xavier now replaces these features with more sophisticated ones, including:

  • Self Protect Mechanism:  Xavier is capable of masking its presence in the application by encrypting all its constants and encapsulating most of its code. It recognises simulations inside a controlled (emulated) environment for debugging and analyzation purposes.
  • Remote Takeover: Xavier can perform Man-In-The-Middle (MITM) attacks and if granted unprecedented access, is also capable of taking over your device and injecting adware and/or infected applications.
  • Identity and Information Theft: Xavier is also able to steal devices and user related information. These include email address, Device id, model, OS version, country, manufacturer, carrier, screen resolution and Installed apps information.


How Does It Work?

What makes Xavier a worrying concern is its presence online as an ad library. Unlike traditional adware and malware which are injected into apps and then distributed via third-party vendors, Xavier’s encryption techniques imply that infected apps can easily enter the Google Play Store and poses a risk to unaware users.

  • The user installs the infected app from Play Store.
  • The malicious app downloads malicious code from a remote server as a separate data package.
  • After successful installation on a user device, Xavier loads and executes the malicious code.
  • It protects itself from detection through the use of methods such as String encryption, Internet data encryption, and emulator detection

Protecting Your Device From Xavier Malware

While the general rule of thumb should be to only download applications from the Google Play Store but seeing that the malware already has a significant presence there, a few key points should be kept in mind

  • Only download applications from renowned developers/companies.
  • Do not download application that asks for varying levels of permission. (ex: A torch app does not need permission for storage)
  • Check the comments carefully for any mentions of intrusive and/or constant adverts.
  •  Refrain from downloading apps from third-party sources.

Furthermore, please refer to the detailed list of malicious apps on the Play Store to verify if you have an infected app on your device.


Source: Trend Micro

Follow and Subscribe

Sarang Avatar

Leave a Reply