XLoader Android Malware Runs in the Background and Steals Your Data

Mobile malware isn’t common, but it’s growing increasingly more so. You may have heard of a malware called XLoader, which has been used to victimize people in over seven countries. This mobile threat has seen various iterations over the past several years, but you should be especially concerned these days.

This threat targets Android devices, and since Android makes up a significant portion of the smartphone market share, there is no shortage of victims to be had. Android malware typically works when the file is opened by the user, and it cannot run in the background until it has been. However, XLoader is a bit different and—admittedly—scarier in how it operates. 

It can actually launch itself automatically, which is a major problem.

Not only can it launch itself automatically under the right circumstances, but it can also run in the background, allowing it to do all kinds of malicious things. XLoader can extract data from any infected device. Some of this data includes potentially sensitive files such as photos, text messages, contact lists, hardware information, and so on.

The threat was first discovered by security company McAfee, which reported that the threat spreads through shortened URLs in phishing text messages. The user has a harder time identifying potentially malicious URLs when it’s condensed into a shortened one, and when the user clicks on the link, they are taken to a download for an Android APK file. These files are typically used to sideload an app without downloading them directly from the Play Store. When users install the app, they infect their Android device with the threat.

To keep itself hidden from the user, the app will impersonate Google Chrome and request permissions that it does not need, like accessing text messages and running in the background. The user will then assign it to be the default SMS app, further enabling its debauchery. XLoader can extract even more phishing messages and malicious links from Pinterest profiles, sending the links to the infected smartphone so that it can remain undetected.

The wild part of this is that the threat uses hard-coded phishing messages to trick the user into clicking on malicious links under the guise of bogus allegations of bank fraud. It only resorts to this if it cannot access Pinterest, however, but the fact that it has a failsafe makes this threat very sophisticated.

A good way to limit your exposure to potential mobile threats like XLoader is to exclusively download reputable apps from the app store and avoid sideloading whenever possible. You should also enable Google Play Protect if it’s not already enabled.

To make sure it’s on, open the Google Play Store app. At the top right, tap the profile icon. Tap Play Protect and then Settings. Ensure Scan apps with Play Protect is on.

For more updates on the latest threats and vulnerabilities, be sure to keep an eye on our blog.