Google axed massive Android adfraud botnet Chamois from Play Store
Apart from stealing and leaking user data, the malware can also install APKs on rooted devices REUTERS/Dado Ruvic/Illustration

Over 800 Android apps on Google Play were found infected with a "silent" data stealing and leaking malware. The malicious adware has been around since 2016 and functions under the radar, making it difficult to detect its activities.

According to researchers at Trend Micro, who detected the threat, Xavier is capable of downloading and executing other malicious codes, as well as stealing users' personal and financial data. The categories of infected apps include photo manipulators, utilities, ringtone chargers, anti-virus, wallpaper apps and more. Researchers said that these infected apps have already been downloaded millions of times.

"The greatest number of download attempts came from countries in Southeast Asia such as Vietnam, Philippines, and Indonesia, with fewer downloads from the United States and Europe," Trend Micro researchers said.

The malware also uses security evasion techniques such as "String encryption, Internet data encryption, and emulator detection" to avoid being detected by security and anti-virus programs. "Xavier's stealing and leaking capabilities are difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis," researchers said.

Brief history on Xavier

Xavier is not new. It has been around since 2015 but was only detected a year later. The malware belongs to a malicious adware family called AdDown. The malware's first version was dubbed "joymobile".

Apart from stealing and leaking user data, the malware can also install APKs on rooted devices. Xavier can also communicate with its C&C (command and control) server sans encryption, all the while remaining undetected.

How to stay safe?

Google has begun removing malicious apps from Google Play and 75 Xavier infected apps have already been removed from the Play Store. However, that is no guarantee of users remaining safe from malware. In most cases, malware-infected apps come from third-party sites. It is therefore essential not to download and install apps from unknown sources.

"It can help to read reviews from other users who have downloaded the application. Other users can be a great source of insights, especially if they can point out whether a specific application exhibits suspicious behaviour," Trend Micro researchers said.

It is also essential that you keep your devices updated and running on the latest OS version available.