February 25, 2024

Android Trojan Xamalicious has been hiding in the Google Store for years

A previously unknown Android backdoor called Xamalicious infected more than 300,000 smartphones via malicious apps from the Google Play Store. Google's precautions against infected apps are already good, but they have managed to remain undetected for almost three years.

GDA portal/Flickr

The application requests additional permissions

This is what security experts from McAfee reported 14 infected apps were found in the Google Play Store. Some of the apps have been available in the Store since 2020. Each three apps have been installed about 100,000 times.

The malware is capable of executing various commands, such as collecting device and hardware information and transmitting the device's geographic location based on the IP address.

Xamalicious Android backdoor

Xamalicious is a .NET-based Android backdoor embedded in applications developed using the open source Xamarin framework – hence the name. Using the open source Xamarin framework makes code analysis more difficult, which makes it more difficult to detect malware.

Once installed, it requests access to the Accessibility service to perform distinct actions such as navigation gestures, hiding screen elements, and granting itself additional permissions.

According to McAfee, there are links between Xamalicious and an ad fraud app called “Cash Magnet” that automatically clicks on ads and installs adware on the victim’s device to generate revenue for its operators. Therefore, by running Xamalicious in the background, it may affect processor performance and network bandwidth.
Internet graphic security: Germans fear misuse of dataInternet security: Germans fear data misuse

Most popular Xamalicious apps:

Other malicious apps containing Xamalicious are still available through several third-party vendors and thus continue to infect users via downloadable APK files.

Xamalicious infection is also present in Germany

According to McAfee's telemetry data, most infections were detected on devices in the United States and Germany, as well as Spain, the United Kingdom, Australia, Brazil, Mexico, and Argentina. Although the apps have now been removed from Google Play, users can still have active Xamalicious infections on their phones. In order to find malware, manual scans and cleanups must now be performed, McAfee warns.


  • The “Xamalicious” virus has infected more than 300,000 Android smartphones
  • Google Play Store vulnerabilities discovered by McAfee
  • 14 apps containing malware in the Store since 2020, some of which have been installed 100,000 times
  • The malware collects device information and transmits location
  • Gives itself access to the accessibility service
  • Relationship to the fraudulent advertising application “Cash Magnet”
  • Infected apps are still available through third parties
  • Devices in the USA and Germany are mainly affected

See also: