New Version of XLoader That Disguises as Android Apps and an iOS Profile Holds New Links to FakeSpy (Apr 2, 2019)
A new variant of the “XLoader” spying malware (spyware) has been discovered impersonating a security application for Android devices and uses a malicious iOS profile to target iPhones and iPads, according to Trend Micro researchers. This new variant, called XLoader version 6.0, is being distributed through SMS messages (smishing) purporting to contain a link to a fake Android security application. The actors behind this campaign are hosting the malware on several fake websites, one of which was found to be an impersonation of a legitimate Japanese phone operator’s website. Following a link to an actor-controlled website will prompt the visitor to download the malicious application package (SDK). For iOS users, there is a redirection from the initial website to another that then prompts the user to “install a malicious iOS configuration profile to solve a network issue preventing the site the load.” Installation of the profile will open a fake website masquerading as an Apple ID sign-in page. XLoader is capable of stealing various forms of data from an infected device and uses social media profiles on Twitter to conceal Command and Control (C2) server addresses.
Recommendation: Messages that attempt to redirect a user to a link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate with. Education is the best defense. Inform your employees on the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.