After Judy, a new Trojan-based malicious code Xavier has been found in over 800 applications on Google Play Store. According to TrendLabs Security Intelligence, which first detected the Trojan ad library, the affected apps have been downloaded millions of times from Google Play, most of which were utility apps such as photo manipulators, wallpapers, and ringtone changers.
Xavier had been around for two years and its first version called `joymobile' appeared in early 2015, reported TrendLabs. Xavier was not easy to detect, neither via static or dynamic analysis. ''In addition, Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware,'' the report read.
Users in Southeast Asian countries like Vietnam, the Philippines, and Indonesia made the highest number of download attempts, against fewer attempts by users in the US and Europe. About 23.27 per cent users in Vietnam had download the affected apps, while 19.14 per cent and 8.23 per cent attempts were made in the Philippines and Indonesia respectively. The corresponding figures for Thailand and Taiwan were 6.66 per cent and 5.36 per cent respectively. Other countries accounted for 37.34 per cent download attempts.
Xavier was feared to be more widespread and dangerous when compared to Judy. Judy was found in over 41 apps on the Google Play Store, and it infected between 8.5 million to 36.5 million users, while Xavier had been discovered in over 800 apps, which meant it was likely to put a lot more users at risk.
According to experts, what made the malware insidious was way it was coded into the application. As no malicious code is used within the app, it is not detected when submitted for approval to the store. But once installed the malware downloads malicious code from a covert server, which it can then execute. These actions can happen in the background without the user's knowledge or consent.
According to experts, it was also capable of installing other APKs, and which it does silently if the device was rooted.