Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices

McAfee Mobile Research documents Android/Xamalicious, a Xamarin-based Android backdoor that tricks users into granting Accessibility Services, communicates with a C2 using JWE/JWT and hardcoded RSA keys, and conditionally downloads an AES-encrypted second-stage DLL that can fully control devices to perform ad-fraud and other financially motivated actions; the campaign included ~25 malicious apps (some on Google Play) with estimated 327,000+ installs and detailed IoCs and package hashes.