Android is the world’s biggest consumer operating system, bigger even than Windows — so it should come as no surprise that it is the target of malware. This has been the case for several years, and as Android has grown, so the threats have grown.
Summer 2017 saw the uncovering of a new vulnerability in Android that has been exploited for quite some time. It involves a malicious ad library that comes pre-installed on over 75 applications. Are your devices affected? And what can you do about it?
Meet Xavier: A Malicious Ad Library
Android app developers usually produce free software. Over 90% of Android apps are free, with adverts used to generate revenue for the devs. These adverts are served by ad libraries, using embedded code in the app’s user interface. Application developers trust the providers of these libraries to be serving standard adverts, but this isn’t always the case.
Xavier is one such situation: a malicious ad library. A member of the AdDown family of malware — used for malvertising — Xavier emerged in September 2016. Research from Trend Micro has revealed that Xavier has been found in a sizable collection of Android apps. These include everything from media players to RAM optimization tools (which don’t really work).
In short, it doesn’t matter what sort of apps you use. There is a chance that you’re affected by Xavier. While the threat seems to have targeted South East Asia, the availability of apps across Google Play makes this an active threat that you might have picked up through innocently installing a seemingly user-friendly app.
How Xavier Maliciously Impacts Your Android Device
The Xavier ad library has several abilities that can impact your smartphone or tablet (or even TV box or Android game console).
- Xavier can install APK files on your hardware without notification (older Android versions).
- Remote code execution, enabling hackers to run code on your phone, is also possible.
- Identity and device cloning functionality is also included. Data such as your personal information and the make and model of your phone, SIM card, and even apps installed can be gathered.
- Xavier is tricky to detect. Standard mobile antivirus tools may struggle, as Xavier is designed to encrypt its data use and remains dormant when scanned.
In short, this is not a piece of malware that you want to find running on your smartphone. As smartphone security goes, the Xavier ad library is a big problem. While there are plenty of other Android malware threats out there, this one is particularly insidious. It is yet another example of how malware developers and security researchers are in a sort of “arms race” to outdo one another. Xavier’s developer has cleverly exploited a vulnerability in how adverts are delivered to your Android phone and tablet.
Avoid These 75 Apps!
Thanks to the research from Trend Micro, we have a good idea of which apps are serving Xavier malvertising to your Android device. Among these apps you will find “MP3 Cutter and Ringtone Maker” (com.efflicnetwork.ringtonecutter) and “Fast launchers – Best & Small” (com.azurersweet.launcher).
A full browse of the list will reveal a collection of apparently interesting, useful apps. There is nothing obviously dodgy about them. Also, we have no evidence that the app developers knew that Xavier ad library would be gathering data on their customers.
If you have any of these apps installed on your phone, uninstall them immediately. You might also discard them from your app library in Google Play to avoid accidentally installing them in future. Do this via the Google Play app on your Android device. Open the Menu, select My apps & games > Library and scroll to the apps you want to remove. Tap X to discard them from your library.
Protect Yourself From Xavier Malvertising Malware
You might have one or two of these apps installed. You might even have uninstalled them and discarded them from your app library already. But if you weren’t using these apps, how can you avoid them?
Checking a list so large isn’t practical: as developers can easily change the names of their apps, it makes little sense. Instead, you should be focusing on maintaining a robust approach to app installation.
The first step is to stick with recognized developers. If you’ve never heard of Gosi Team, for example, then don’t install their software until you have done some research (Gosi Team have at least one app affected by Xavier).
Well-known app developers like Google, Microsoft, etc., are unlikely to be carrying malware. Beyond this, however, as a rule, make sure you’re checking reviews when installing apps, both on Google Play and beyond.
Adding any software to your device is a matter for consideration. Think about it: all that personal data. You don’t want it getting into the wrong hands. Stick to reputable apps.
Vigilance Is Vital
You keep personal data on your phone. It goes everywhere with you. Contacts, cloud sync, photos… you get the picture. Having your device hijacked by malvertising scammers is not ideal. Stay safe, using the steps above, and stay aware by keeping up to date with online security news. In fact, you might even consider checking a few white papers.
Have you been struck by Android malware? Perhaps Xavier served malicious ads to your phone or tablet. Tell us about it in the comments.