Security researchers at McAfee have discovered a new Android backdoor malware that has infected at least 327,000 devices via malicious apps on the Google Play Store and third-party app stores.

Dubbed ‘Xamalicious’ by the McAfee Mobile Research Team, the malware was crafted using Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#.

The Android malware tries to gain accessibility privileges with social engineering and then it establishes a connection with the command-and-control (C2) server to evaluate whether or not to download a second-stage payload.

This dynamic payload injected as an assembly DLL at runtime level grants the attacker full control of the compromised device and potentially performs fraudulent actions such as clicking on ads, and installing apps, among other actions financially motivated without user consent.

Further, the second stage payload, due to the powerful accessibility services, can take full control of the infected device that was already granted during the first stage. This also contains functions to self-update the main APK, allowing it to perform any type of activity like spyware or banking trojan without user interaction.

In a blog post written by the McAfee Mobile Research Team blog post, they said it identified about 25 different malicious apps that contain the threat, 13 of which were distributed on Google Play, some since mid-2020.

Some of the apps affected by Xamalicious malware include Essential Horoscope for Android (100,000 installs), 3D Skin Editor for PE Minecraft (100,000 installs), Logo Maker Pro (100,000 installs), Auto Click Repeater (10,000 installs), Count Easy Calorie Calculator (10,000 installs), Dots: One Line Connector (10,000 installs), and Sound Volume Extender (5,000 installs), amongst others.

According to McAfee’s telemetry data, a majority of the infections were installed on devices in the United States, Germany, Spain, the UK, Australia, Brazil, Mexico, and Argentina.

While the affected apps have been proactively removed by Google from Google Play before McAfee’s blog post was published, users who have installed them since mid-2020 may still have Xamalicious malware active on their phones, which would need manual clean-up and scanning to ensure protection against malware threats.

In a statement to The Hacker News, Google said that Google Play Protect protects Android users from malware both on and off the Play Store.

“If a user already had one of these apps known to contain the malware installed, the user received a warning and it was automatically uninstalled from their device,” Google added.

“If a user tries to install an app with this identified malware, they’ll get a warning and the app will be blocked from being installed.”