The Xavier trojan lurks within over 800 Android apps in the Google Play store

Share this…

More than 800 Android applications available on Google Play at one time embedded the software development kit (SDK) of an information-stealing ad library.

The threat, which is detected by Trend Micro as ANDROIDOS_XAVIER.AXM or “Xavier” for short, is a member of AdDown. This adware family has been around since early 2015 when its first version joymobile appeared on the scene. Joymobile collected and leaked user information, installed other APKs, and encrypted constant strings in the code despite communicating with its command and control (C&C) server without encryption.

AdDown’s second version, nativemob, improved on joymobile by rearranging its code structure, adding new features, doing away with automatic app installation, collecting more user information, and encoding this data before sending it to the C&C. This variant received additional updates in 2016. However, none of these fixes significantly changed the ad library’s functionality.

Which leads us to Xavier’s emergence in September 2016.


Xavier’s evolution. (Source: Trend Micro)

Once it successfully loads, Xavier obtains its configuration from a C&C server, the location for which it stores in encrypted form. It receives an encrypted request in response, decrypts the request to reveal a Json file, and downloads a SDK which it uses to build This archive contains a dex file that allows the ad library to steal the manufacturer name, device ID, OS version, and a ton of other information from the affected device.

It doesn’t complete this data theft in the open, however. Trend Micro’s Ecular Xuelaborates on this point:

“Xavier’s stealing and leaking capabilities are difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis. In addition, Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware. Xavier’s behavior depends on the downloaded codes and the URL of codes, which are configured by the remote server.”

Google found the ad library in more than 800 apps available for download on its Play Store. These programs ranged from wallpaper to ringtone changers. Even GPS phone trackers contained the embedded ad library.

Phone tracker app

As of this writing, 75 apps on Google Play have removed Xavier from their code. Hopefully more programs are to follow. Check out the complete list of apps now cleansed of the ad library.

Users can protect themselves against Xavier and other malicious ad libraries by installing applications only from trusted developers on Google’s Play Store. They should also read the reviews of an app before they install it, update their devices regularly, and install an anti-virus solution onto their phones.