Xavier: The Malicious Ad Library Plaguing Android Devices

The Xavier info-stealing ad library has spread to 800 Android apps in the Google Play Store leaving millions of users potentially at risk of infection.

Trend Micro has detected a threat by Android applications available on Google Play which at one time embedded the software development kit (SDK) of an information-stealing ad library. ANDROIDOS_XAVIER.AXM or "Xavier" for short, is a member of AdDown, the adware family which in 2015, gave us joymobile, the adware that collected and leaked user information, installed other APKs, and encrypted constant strings in the code despite communicating with its command and control server (C&C) without encryption.

The second version of AdDown, nativemob, took it further than joymobile by rearranging its code structure, adding new features, doing away with automatic app installation, collecting more user information, and encoding this data before sending it to the C&C.
In September 2016, when nativemob received minor upgrades, Xavier started appearing in isolated places.


Xavier's evolution. (Source: Trend Micro)

It attacks devices by obtaining encrypted configuration from a C&C server once it successfully loads. An encryption request is then sent to it in response, which it decrypts into a JSON file, downloads an SDK that has what it needs to then build the xavier.zip. The dex file in the archive allows the ad library to steal the manufacturer name, device ID, OS version, among information from the affected device.
Trend Micro’s Ecular Xu explains how this adware doesn’t complete this data theft in the open, stating:

"Xavier’s stealing and leaking capabilities are difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis. In addition, Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware. Xavier’s behavior depends on the downloaded codes and the URL of codes, which are configured by the remote server."


One app affected by Xavier. (Source: Trend Micro)

Google is said to have found the ad library just over 800 of the apps it hosts on the Google Play Store, available for download by its users. There, however, seemed to be no coordination in the apps it affected, ranging from ringtone changers to wallpapers and themes. Just under 100 apps have been pulled from the Play Store at present as Google engages in an ad library cleansing operation for these remaining apps
So far, users can only avoid infection from Xavier and other malicious ad libraries by only installing applications posted by trusted developers on Google's Play Store, after having gone through the reviews of the app, installing an antivirus as well as updating their devices regularly.