Home > News > Linux Devs Patch Critical Shim: Urgent Fix Released

Linux Devs Patch Critical Shim: Urgent Fix Released

: linux devs patch critical shim: urgent fix released

Security researchers at McAfee have discovered a new variant of the XLoader Android malware that is more dangerous than previous versions. This malware can launch itself on infected devices without any interaction from the user. This technique allows the malware to execute various malicious activities as soon as it is installed, making it more difficult for users to detect and remove it.

The new variant of the XLoader malware can execute a wide array of commands, making it a significant threat to Android users. This malware can steal sensitive information, such as photos and texts, without being opened by the user. It can also launch a man-in-the-middle (MITM) attack to intercept and modify HTTP traffic, allowing attackers to subvert secure boot and take control of the target system.

Key Takeaways

  • The new variant of the XLoader malware can launch itself on infected devices without any interaction from the user, making it more difficult to detect and remove.
  • The malware can execute a wide array of commands, including stealing sensitive information and launching a man-in-the-middle attack.
  • End users should take extra precautions to protect their Android devices from this dangerous malware, such as using endpoint security tools and keeping their operating systems up to date.

Android XLoader gets more dangerous with the auto-execute technique

XLoader, also known as MoqHao, is a notorious Android malware family that has been around since at least 2015. It is operated by the Roaming Mantis threat actor group and has previously targeted Android users in several countries, including France, Germany, Japan, South Korea, Taiwan, the UK, and the US.

Recently, McAfee's Mobile Research Team has discovered that MoqHao has started distributing a new variant of the malware using an auto-execution technique. This technique was first identified in July 2022. The distribution method is the same as before, with attackers sending text messages containing a shortened link to download the malicious app to potential victims.

If an unsuspecting user clicks on the link and proceeds to install the app, disguised as Google Chrome, they immediately fall prey to the attack. Unlike previous variants, which required users to open the app before the malware became active, the new XLoader variant can launch automatically after installation.

This technique allows the malware to execute malicious activities in the background without user interaction. Since the app is disguised as Google Chrome, it further helps avoid detection. It tricks users into granting permission to always run the app in the background and access files, messages, and more. The malware even asks users to set itself as the default messaging app, claiming that it will help prevent spam.

Attackers have curated this pop-up message in several languages, including English, Korean, French, Japanese, German, and Hindi. This indicates their current targets. Once the initialization process is complete, the malware creates a notification channel to display phishing messages. It checks the device's carrier and automatically adjusts the phishing messages. The phishing message and the phishing URL are obtained from Pinterest profiles, according to McAfee reports.

This auto-execution technique makes XLoader even more dangerous than before. Users should be cautious when receiving text messages containing shortened links and never install apps from untrusted sources. They should also regularly update their devices with the latest security patches to stay protected against known vulnerabilities.

: linux devs patch critical shim: urgent fix released
: Linux Devs Patch Critical Shim: Urgent Fix Released

The Malware Can Execute a Wide Array of Commands

XLoader is capable of executing a variety of commands remotely, allowing attackers to take control of the infected device. According to McAfee, the malware can receive up to 20 commands from its command and control (C2) server via the WebSocket protocol. Some of the most dangerous commands include:

  • Sending all photos to the control server
  • Sending all messages to the control server
  • Sending new messages to contacts
  • Exporting saved contacts
  • Collecting device identifiers such as IMEI, SIM number, Android ID, serial number, and more
  • Sending HTTP requests to download more malware

These commands can be executed without the user's knowledge or consent, putting their privacy and security at risk. XLoader can also prevent users from accessing their device's settings or using antivirus apps.

It is important to note that Android devices with Google Play Services, which have Google Play Protect enabled by default, are protected against this malware. However, it is still recommended to only download apps from known sources like the Google Play Store. Google is also reportedly working on a way to prevent this type of auto-execution in a future Android version, possibly Android 15.

Conclusion & Personal Recommendation

In conclusion, the discovery of a new variant of the Android XLoader malware that can launch itself on infected devices without requiring user interaction is a cause for concern. This malware, also known as MoqHao, is operated by a financially motivated threat actor named ‘Roaming Mantis.'

To stay safe from this malware, Android users should keep their devices up to date with the latest security patches and avoid downloading apps from untrusted sources. Additionally, users should be cautious when clicking on links or downloading attachments from unknown sources, as these could be used to spread malware.

It is also recommended that users install a reputable antivirus app on their devices to detect and remove any malware that may be present. By following these best practices, Android users can reduce their risk of falling victim to the Android XLoader malware or any other malware that may be circulating on the internet.

Frequently Asked Questions

How does the shim bootloader interact with Secure Boot in Linux?

The shim bootloader is used to authenticate and load third-party bootloaders, such as GRUB, while still maintaining the security provided by the UEFI Secure Boot feature. The shim bootloader is signed by a trusted certificate authority, allowing it to be loaded by the UEFI firmware, which then loads the signed third-party bootloader.

What steps should be taken to patch a vulnerability in the Linux boot process?

To patch a vulnerability in the Linux boot process, users should first identify which component is affected and obtain the necessary patch from the vendor or distribution. The patch should be applied as soon as possible to prevent exploitation of the vulnerability.

Which Linux distributions are affected by the recent shim vulnerability?

The recent shim vulnerability affects several Linux distributions, including Ubuntu, Fedora, and Debian. It is important for users of these distributions to check for and apply any available security updates.

What are the implications of a compromised shim for Linux system security?

A compromised shim can allow an attacker to bypass the Secure Boot feature and load unsigned or malicious code during the boot process. This can lead to a complete compromise of the system, including theft of sensitive data, installation of backdoors, and more.

What measures can be taken to verify the integrity of the shim after patching?

Users can verify the integrity of the patched shim by checking its digital signature against the trusted certificate authority. This can be done using the sbverify command on Ubuntu and other distributions.

How can users ensure their Linux system remains secure following a critical shim patch?

To ensure the continued security of their Linux system following a critical shim patch, users should regularly check for and apply any available security updates, including those related to the boot process. It is also recommended to use additional security measures, such as firewalls and intrusion detection systems, to further protect the system from potential attacks.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.