This evil Android malware has one devious USP — it doesn't even need to be opened to start stealing all your photos and files

However, the key difference comes after installation - the victim doesn’t need to run the new variant - it automatically launches, and stealthily at that. Google was already tipped off and is working on a fix: "While the app is installed, their malicious activity starts automatically," McAfee said. "We have already reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version."

Asking for permissions

But simply running the app will not suffice, as it still needs vital permissions to start stealing data. To trick the victims into granting them, the malware was given the name Chrome, but via Unicode strings - so the app’s font will look slightly off, which should be enough of a red flag. If that doesn’t ring any alarms, the permissions the app seeks should: it asks for the ability to send and access SMS content, and to be able to always run in the background. 

As the pop-up messages asking for these permissions are available in English, Korean, French, Japanese, German, and Hindi, McAfee’s researchers believe these are also target countries. 

Among other things, XLoader can steal people’s photos, send SMS messages, extract existing SMS messages to a third-party server, export contact lists, grab device identifiers, and more.

Via BleepingComputer

More from TechRadar Pro

• New Android malware family has infected thousands of devices - here's what we know
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now