{ "id": "01829537-57d8-45b0-80f3-ed47ee8aa9d2", "created_at": "2026-04-06T00:16:24.5263Z", "updated_at": "2026-04-10T03:30:33.796499Z", "deleted_at": null, "sha1_hash": "6313658b90b97a5789f95b1dffb39591c387de6e", "title": "Angry Android hacker hides Xbot malware in popular application icons", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75024, "plain_text": "Angry Android hacker hides Xbot malware in popular application\r\nicons\r\nBy Jan Širmer 17 Feb 2015\r\nArchived: 2026-04-05 23:14:36 UTC\r\nAngry Android hacker hides Xbot malware in popular application icons\r\nAndroid Malware Xbot Spies on Text Messages\r\nIn the past few weeks, the Avast Mobile Security analysts have been focusing on Android malware which targets\r\nusers in Russia and Eastern Europe. One of the families that caught our interest was the Xbot malware.\r\nThe name Xbot comes from the sample itself as the string Xbot was found in all variants of this malware. Xbot\r\nuses a variety of names and package names but this string was, with different levels of obfuscation, in every single\r\nfile we analyzed so we decided to name the malware after it.\r\nXbot is not an app itself, but is included in different apps. We didn’t identify it in apps available on Google Play,\r\nbut on local Russian markets like www.apk-server12.ru. Users in Eastern Europe use markets other than Google\r\nPlay more than West European and U.S. users do, that might be one of the reasons why the cybercriminals chose\r\nthis distribution channel. Xbot tries to hide behind apps that look like legit apps, like Google Play or the Opera\r\nBrowser. It collects tons of permissions which allows it to spy on user’s SMS and the malware could potentially\r\nspy on people’s phone calls in the future, too. It also sends premium SMS behind the user’s back, so basically it is\r\nmalicious through-and-through.\r\nFrom the beginning of February we have seen 353 Unique Files with more than 2570 Unique Install GUIDs.\r\nThese numbers are not the highest ones we’ve ever seen but still, it allows us, unfortunately, to see the potential of\r\nAndroid malware and social engineering.\r\nThe author hides a message\r\nOne interesting thing we discovered is that the malware author is not shy about expressing his anger with the\r\nantivirus companies who detect his masterpiece. Sometimes we find embedded messages addressed to Malware\r\nanalytics. This one is quite strong. See if you can spot it: //9new StringBuilder (\"FUCK_U_AV\"\r\n)).append(\"1\").toString();. Messages like this are nothing new in malware samples because security companies\r\nlike Avast can really cut into the bad guys' income from this type of malware.\r\nMessage\r\nThe author tries to cover his tracks\r\nhttps://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/\r\nPage 1 of 4\n\nAs a part of anti-analysis protection, the author(s) try to obfuscate these samples to make them harder to read. But\r\nthis protection is fairly simple, as it usually consists of adding additional junk characters which are excluded at\r\nruntime or the Proguard, which mangles the method names and file structure.\r\nThe samples we analyzed contain two different packages. One package contains only a single class, which works\r\nas a sort of Settings holder and contains the URL to connect to, additional APK name (possibly with extended\r\nfunctionality) and local preference settings.\r\nThe connection URL is mostly gibberish and varies in samples we analyzed. It is used as a C\u0026C server and\r\nalso as data storage of information about the infected device.\r\nThe second string is a name of additional APK which is downloaded and stored in /mnt/sdcard/.\r\nThe second package contains the larger part of the functionality. This package shows us three distinct and\r\nimportant functionalities of this malware.\r\nThe first one is a function responsible for checking if the additional APK exists on /mnt/sdcard/ which\r\nallows the malware to download it in case this APK doesn’t exists.\r\nThe second function monitors incoming SMS for keywords, and based on those can capture and store the\r\nreceived messages to the server where it can be misused by the attacker.\r\nThe third function is the ability to send SMS messages from the compromised device to any number the\r\nauthor(s) of malware wants. These numbers are usually premium numbers whose profit is paid back to the\r\nbad guys.\r\nOn the next picture you can see all permissions requested by the malware.\r\nPermissions\r\nAs you can see the malware requests permission to RECEIVE_BOOT_COMPLETED which allows the malware\r\nto be persistent on the compromised device, i.e. the malware automatically restarts with the restart of the device.\r\nThe author attempts to hide the malware\r\nThe malicious app tries to be stealthy. It uses a few tricks to fool the user into running it. First, by analyzing the\r\nsample set of this family, we were able to identify the misuse of some well-known application icons, such as\r\nAndroid Market, Opera browser, Minecraft or even Google Play.\r\nOnce the user runs the application he is presented with an Activity that contains a single string - “Application\r\nsuccessfully installed”, always only in Russian “Приложение успешно установлено”.\r\nMeanwhile, the application hides its icon from the launcher so that the user cannot find it anymore. Thankfully,\r\nit’s not as sophisticated as the Fobus family we were writing about a few weeks back, so the user can actually find\r\nit and remove it from the device by using the standard Android uninstall dialog, but honestly, who remembers all\r\nthe apps they’ve installed? And even if you did, who on earth would want to uninstall Google Play, Opera or\r\nanother similar app? ;-)\r\nApplications\r\nhttps://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/\r\nPage 2 of 4\n\nAs we mentioned before, the self-protection mechanism this malware uses is to hide it’s icon from the launcher.\r\nThis is done by employing the PackageManager to set the componentEnabledSetting to DISABLED. As you can\r\nsee in the picture below.\r\nHideIcon\r\nThe author controls the malware via C\u0026C\r\nXbot malware is controlled by the author(s) through a C\u0026C server. The server addresses are probably randomly\r\ncreated domains and these C\u0026C servers allow the attacker to command the malware to start spying on the device,\r\nsend SMS and download additional content on the affected device. In the next picture you can see that the\r\ncommunication with the C\u0026C server uses URL parameters to send the data and a php script to process them.\r\nC\u0026Cserver\r\nBased on the answer from the C\u0026C server malware can take different actions.\r\nOne of them is that the malware can download URL content to the affected device. This URL is provided from the\r\nC\u0026C server to the Xbot.\r\nURL content\r\nWhen content is downloaded it can be started by Xbot. On the next picture you can see the code responsible for\r\nrunning upee.apk which is probably downloaded through the code in the previous picture.\r\nUpeeLaunch\r\nAnother possible course of action is that the Xbot can start spying on the infected device. It captures all received\r\nSMSs and searches for keywords in them.\r\nPDU\r\nIf the keywords are detected, it can upload the chosen SMS to the server using a save_message.php script.\r\nSaveSMS\r\nThe author plans for the future\r\nWe have noticed some evolution of this particular malware already. Up until now, however, the evolution has been\r\nmainly in terms of obfuscation, restructuring the code and resources. Now, though, we expect some further\r\nevolution. During the analysis, we noticed a function which seemingly doesn’t have any purpose at the moment,\r\nbut may be misused in the future. This function can be, after proper implementation, used for spying on incoming\r\ncalls. The containing class’s name – ICREC - is a suggestion of that as well – Incoming Call RECorder. But this is\r\nnot the only thing which shows there will be probably some evolution, we also found that gettaks.php which is\r\nused for contacting the C\u0026C server contains more fields than are being currently used.\r\nCall recording\r\nhttps://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/\r\nPage 3 of 4\n\nA sample of C\u0026C URLs we’ve encountered:\r\nXbotURLs\r\nEvogen_detection\r\nAvast makes the author really mad\r\nOne reason we find messages embedded in the code of Android malware, is because we are so successful at\r\ndetecting and blocking it. Avast protects those using Avast Mobile Security against the variants of Xbot\r\nmalware. If you have not protected your Android device, please install Avast Mobile Security and Antivirus\r\nfrom the Google Play store.\r\nAcknowledgement\r\nThanks to my colleague, Ondřej David, for cooperation on this analysis.\r\nSource\r\nHere are some samples connected with the analysis:\r\n040F94A3D129091C972DB197042AF5F8FCF4C469B898E9F3B535CFA27B484062\r\n2E58701986AFA87FD55B31AE3E92AF8A18CA4832753C84EA3545CEB48BB7B1A7\r\nSource: https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/\r\nhttps://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/" ], "report_names": [ "angry-android-hacker-hides-xbot-malware-in-popular-application-icons" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434584, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6313658b90b97a5789f95b1dffb39591c387de6e.pdf", "text": "https://archive.orkl.eu/6313658b90b97a5789f95b1dffb39591c387de6e.txt", "img": "https://archive.orkl.eu/6313658b90b97a5789f95b1dffb39591c387de6e.jpg" } }