Trend Micro has discovered
a new Trojan malware that is pretty nasty. The security analysts identified the malware as ANDROIDOS_XAVIER.AXM or Xavier for short. It is an ad library that quietly sends user data to a remote server. What makes it so nasty is the methods it uses to cover its tracks and disguise its activities. First of all, it comes embedded within relatively innocuous apps, like ringtone makers and photo editing apps. Most of these applications appear to be originating from Southeast Asia. Trend Micro has discovered over 800 different apps containing the malware which have been downloaded cumulatively millions of times from Google Play, so it is fairly widespread.
Another thing that makes the malware insidious is the way it is coded into the application. No overtly malicious code is used within the app, so no flags are raised when submitted for approval to the store. However, once installed the malware downloads malicious code from a covert server, which it can then execute. These actions can all happen in the background without the user's knowledge or consent. [It] is [also] capable of installing other APKs, and it can do this silently if the device is rooted, say the analysts. Xavier goes to great lengths to hide its presence and actions. It uses string encryption and internet data encryption to mask its communications. It also performs checks on the device to ensure that it is actually installed on a phone and not an emulator.
If the malware detects that it is running on emulated hardware, it shuts down. Once on the device, the malware can transmit various information about the phone and the user. Some of the information that it sends seems harmless at first such as equipment manufacturer, language, and country of origin. However, it is also capable of transmitting email addresses and other information as well.