Sneaky Android Malware Mimicking Chrome Can Now Self-Execute

Chris Thompson

By Chris Thompson


In the constantly evolving landscape of cybersecurity threats, a sophisticated new version of the Android XLoader malware has emerged, showcasing an alarming capability for self-execution without the need for any direct interaction from the user. Crafted by the notorious cybercriminal group known as ‘Roaming Mantis,’ this malware variant spreads primarily through a SMS phishing attack.

Victims receive a text message containing a shortened URL. Upon clicking this link, they are directed to a webpage urging them to download a seemingly benign mobile application in the form of an Android Package Kit (APK).

A detailed investigation conducted by cybersecurity experts at McAfee highlights the enhanced capabilities of this latest XLoader (aka MoqHao) iteration. Once installed on an Android device, the malware masquerades as a legitimate application, deceptively resembling the popular ‘Chrome’ browser, albeit with a subtly altered logo featuring an italicized ‘r’.

This disguise serves a dual purpose: it not only blends into the user’s array of frequently used apps but also seeks to gain the user’s trust.

(Image Source: McAfee)

The malware doesn’t stop there; it audaciously prompts users to grant it permission to operate continuously in the background, further deepening its integration into the device’s ecosystem. In an even more brazen move, XLoader seeks to replace the device’s default SMS application.

This request is presented to users through prompts available in a variety of languages, including English, French, Japanese, Hindi, and German, indicating the attackers’ intention to target a broad, global audience.

This development marks a significant evolution in the tactics employed by cybercriminals, emphasizing the need for heightened vigilance and advanced security measures to protect against such sophisticated threats.

"Google Play Protect serves as a crucial defense against malware like XLoader, emphasizing the importance of keeping such protective services enabled on any Android device"

Simon Lewis, Co-founder of Certo.