Ad Banner

Info-stealing malware ‘Xavier’ crawls into Philippine Android devices

Trend Micro researchers detected more than 800 Android applications on the Google Play Store embedded with the software development kit (SDK) of the information-stealing ad library called “Xavier.”

On its blog, Trend Micro said they discovered a Trojan Android ad library called Xavier that steals and leaks a user’s information silently. Vietnam, Philippines and Indonesia has the most number of download attempts in Southeast Asia.

Here is the blog post:

“We have recently discovered a Trojan Android ad library called Xavier (Detected by Trend Micro as ANDROIDOS_XAVIER.AXM) that steals and leaks a user’s information silently. Xavier’s impact has been widespread. Based on data from Trend Micro Mobile App Reputation Service, we detected more than 800 applications embedded the ad library’s SDK that have been downloaded millions of times from Google Play. These applications range from utility apps such as photo manipulators to wallpaper and ringtone changers.

The greatest number of download attempts came from countries in Southeast Asia such as Vietnam, Philippines, and Indonesia, with fewer downloads from the United States and Europe.

While we have covered malicious ad libraries before—notably with the MDash SDK—it comes with some notable features that differentiate it from the earlier ad library. First, it comes with an embedded malicious behavior that downloads codes from a remote server, then loads and executes it. Second, it goes to great lengths to protect itself from being detected through the use of methods such as String encryption, Internet data encryption, and emulator detection.

Xavier’s stealing and leaking capabilities are difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis. In addition, Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware. Xavier’s behavior depends on the downloaded codes and the URL of codes, which are configured by the remote server.”

(Photo source: