Xbot is under development, new, inactive function spotted

Feb 18, 2015 10:58 GMT  ·  By

During the development process, the author of Xbot - an Android malware - did not waste the opportunity to insert in the code an offensive string addressed at antivirus products, probably out of frustration that the malicious piece kept failing the detection test.

Xbot has been detected to lurk in unofficial marketplaces for Android apps posing as benign popular products such as Opera browser, Minecraft or even Google Play.

SMS-spying is the primary functionality

The malware itself is not an app on its own, as the author simply added the malicious code to weaponize legitimate products.

Researchers at Avast monitored the activity of Xbot and observed more than 350 unique files being distributed through the third-party marketplaces since the beginning of February.

Despite this large figure, telemetry data from the security company showed over 2,570 installations based on unique GUIDs (Globally Unique Identifier).

After infection, the malware runs a routine to ensure persistence and starts its activity after rebooting the device. It also asks for a large number of dodgy permissions that are at the moment focused on capturing, reading and writing short text messages.

Among the functions available, there is monitoring incoming text for certain keywords and uploading those of interest to a remote command and control (C&C) server.

Another is to send SMS from the infected device to numbers selected by the cybercriminal. This is used for sending texts to premium-rate numbers, as observed by Avast when analyzing several samples of the malware.

There is also the capability to download content from a link provided from the C&C server, which can also send commands to start spying on the affected device.

Cursing at antivirus products

It is not uncommon for malware authors to introduce text strings that are unrelated to the code of the threat. In the case of Shylock, also known as Caphaw, the developers added short quotes from Shakespear’s “The Merchant of Venice,” which helped security experts give it a name.

However, things are far from being this literary with Xbot, as the author included a short, forthright comment: “//(new StringBuilder (“[expletive]_U_AV” )).append(“1″).toString();” It is impossible to miss and it most likely describes the level of annoyance with antivirus products foiling the nefarious operation Xbot is tasked with.

“Messages like this are nothing new in malware samples because security companies like Avast can really cut into the bad guys’ income from this type of malware,” said Jan Sirmer of Avast in a blog post on Tuesday.

The researchers found the Xbot samples scattered on third-party repositories in Eastern Europe. They say that the author may be planning to add a new feature designed to record incoming calls. The function exists but currently is non-working, suggesting that the project is still under development.