XLoader is a backdoor trojan and spyware infecting Android device using Domain Name System (DNS) spoofing to distribute and install malicious Android apps posing as Facebook or Chrome apps. The apps are distributed via DNS comains that send notification messages to victim devices. The app collects personally identifiable information (PII) and financial data, and can install additional malicious apps. Additionally, XLoader can complete the following functions:

  • sendSms — send SMS/MMS to a specified address
  • setWifi — enable or disable Wi-Fi connection
  • gcont — collect all the device’s contacts
  • lock — currently just an input lock status in the settings (pref) file, but may be used as a screenlocking ransomware
  • bc — collect all contacts from the Android device and SIM card
  • setForward — currently not implemented, but can be used to hijack the infected device
  • getForward — currently not implemented, but can be used to hijack the infected device
  • hasPkg — check the device whether a specified app is installed or not
  • setRingerMode — set the device’s ringer mode
  • setRecEnable — set the device’s ringer mode as silent
  • reqState — get a detailed phone connection status, which includes activated network and Wi-Fi (with or without password)
  • showHome — force the device’s back to the home screen
  • getnpki: get files/content from the folder named NPKI (contains certificates related to financial transactions)
  • http — access a specified network using HttpURLConnection
  • onRecordAction — simulate a number-dialed tone
  • call — call a specified number
  • get_apps — get all the apps installed on the device
  • show_fs_float_window — show a full-screen window for phishing

Google Play Protect has, so far, blocked any of these infected apps from being added to the Google Play store.

Technical Details

  • Trend Micro provides technical analysis of XLoader, here.