{"id":178502,"date":"2023-12-22T11:34:18","date_gmt":"2023-12-22T19:34:18","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=178502"},"modified":"2024-06-11T09:35:17","modified_gmt":"2024-06-11T16:35:17","slug":"stealth-backdoor-android-xamalicious-actively-infecting-devices","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/","title":{"rendered":"Stealth Backdoor \u201cAndroid\/Xamalicious\u201d Actively Infecting Devices"},"content":{"rendered":"

Authored by Fernando Ruiz\u00a0<\/em><\/p>\n

McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. Dubbed Android\/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that\u2019s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent.<\/span><\/p>\n

The second stage payload can take full control of the infected device due to the powerful accessibility services that were already granted during the first stage which also contains functions to self-update the main APK which means that it has the potential to perform any type of activity like a spyware or banking trojan without user interaction.<\/span> However, we identified a link between Xamalicious and the ad-fraud app \u201cCash Magnet\u201d which automatically clicks ads, installs apps, and other actions to fraudulently generate revenue while users that installed it may earn points that are supposed to be redeemable as a retail gift card. This means that the developers behind these threats are financially motivated and drive ad-fraud therefore this might be one of the main payloads of Xamalicious.<\/span><\/p>\n

The usage of the Xamarin framework allowed malware authors to stay active and without detection for a long time, taking advantage of the build process for APK files that worked as a packer to hide the malicious code. In addition, malware authors also implemented different obfuscation techniques and custom encryption to exfiltrate data and communicate with the command-and-control server.<\/span>\u00a0<\/span><\/p>\n

We\u2019ve identified about 25 different malicious apps that carry this threat. Some variants have been distributed on Google Play since mid-2020. The apps identified in this report were proactively removed by Google from Google Play ahead of our reporting. McAfee is a member of the App Defense Alliance and an active partner in the malware mitigation program, which aims to quickly find Potentially Harmful Applications (PHAs) and stop them before they ever make it onto Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices.<\/span>\u00a0McAfee Mobile Security detects this threat as Android\/Xamalicious.\u00a0<\/span>\u00a0<\/span><\/p>\n

Based on the number of installations these apps may have compromised at least 327,000 devices from Google Play plus the installations coming from third-party markets that continually produce new infections based on the detection telemetry of McAfee clients around the world. This threat remains very active.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/center> <\/p>\n

Figure 1. \u201cCount Easy Calorie Calculator\u201d was available on Google Play on August 2022 and carries Android\/Xamalicious<\/span>\u00a0<\/span><\/p>\n

Android\/Xamalicious trojans are apps related to health, games, horoscope, and productivity. Most of these apps are still available for download in third-party marketplaces.\u00a0<\/span>\u00a0<\/span><\/p>\n

Previously we detected malware abusing Xamarin framework such as the open-sourced AndroSpy and forked versions of it, but Xamalicious is implemented differently. Technical details about <\/span>Xamarin architecture<\/span><\/a> are well documented and detail how .NET code is interpreted by Android using Mono.<\/span>\u00a0<\/span><\/p>\n

Obtaining Accessibility Services<\/span><\/h2>\n

Let\u2019s use the app \u201cNumerology: Personal horoscope & Number predictions\u201d as an example. Once started it immediately requests the victim to enable accessibility services for \u201ccorrect work\u201d and provides directions to activate this permission: <\/span>\u00a0<\/span><\/p>\n

\"\"<\/center> <\/p>\n

Figure 2. Tricking users into granting accessibility services permission<\/span>\u00a0<\/span><\/p>\n

Users need to manually activate the accessibility services after several OS warnings such as the following on the accessibility options:<\/span>\u00a0<\/span><\/p>\n

\"\"<\/center><\/p>\n

Figure 3. Accessibility services configuration prompt highlights the risks of this permission.<\/span>\u00a0<\/span><\/p>\n

Where is the malicious code?<\/span>\u00a0<\/span><\/h2>\n

This is not the traditional Java code or native ELF Android application, the malware module was written originally in .NET and compiled into a dynamic link library (DLL). Then it is LZ4 compressed, and it might be embedded into a BLOB file, or directly available in the \/assemblies directory on the APK structure. This code is loaded then by a native library (ELF) or by the DEX file at runtime level. In simple words, this means that in some samples the reversing of the DLL assemblies is straightforward while in others it requires extra steps to unpack them.<\/span>\u00a0<\/span><\/p>\n

The malicious code is usually available in two different assembly files in the \/assemblies directory on the apk. Usually, file names are core.dll and a <package-specific>.dll.<\/span><\/p>\n

Some malware variants has obfuscated the DLL assemblies to avoid analysis and reversing of the malicious code while others keep the original code available.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"\"<\/center> <\/p>\n

Figure 4. Core.dll and GoogleService.dll contain malicious code.<\/span>\u00a0<\/span><\/p>\n

Communication with the command-and-control server<\/span><\/h2>\n

Once accessibility permissions are granted the malware initiates communication with the malicious server to dynamically load a second-stage payload. <\/span>\u00a0<\/span><\/p>\n

\"\"<\/center><\/p>\n

Figure 5. App execution and communication with the malicious server<\/span>\u00a0<\/span><\/p>\n

Collect Device Information<\/span>\u00a0<\/span><\/h2>\n

Android\/Xamalicious collects multiple device data including the list of installed applications obtained via system commands to determine if the infected victim is a good target for the second stage payload. The malware can collect location, carrier, and network information among device rooting status, adb connectivity configuration, for instance, if the device is connected via ADB or is rooted, the C2 will not provide a second-stage payload DLL for download.<\/span>\u00a0<\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n
Method\/Command<\/span><\/b>\u00a0<\/span><\/td>\nDescription<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
DevInfo<\/span><\/b>\u00a0<\/span><\/td>\nHardware and device information that includes:<\/span>\u00a0<\/span><\/p>\n
    \n
  • Android Id<\/span>\u00a0<\/span><\/li>\n
  • Brand, CPU, Model, Fingerprint, Serial<\/span>\u00a0<\/span><\/li>\n
  • OS Version, release, SDK<\/span>\u00a0<\/span><\/li>\n
  • Language<\/span>\u00a0<\/span><\/li>\n
  • Developer Option status<\/span>\u00a0<\/span><\/li>\n
  • Language<\/span>\u00a0<\/span><\/li>\n
  • SIM Information (operator, state, network type, etc)<\/span>\u00a0<\/span><\/li>\n
  • Firmware, firmware version<\/span>\u00a0<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
GeoInfo<\/span><\/b>\u00a0<\/span><\/td>\nLocation of the device based on IP address, the malware contacts services such as api.myip.com to verify the device location and ISP data.<\/span>\u00a0<\/span><\/p>\n
    \n
  • ISP Name<\/span>\u00a0<\/span><\/li>\n
  • Organization<\/span>\u00a0<\/span><\/li>\n
  • Services<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

    FraudScore: Self-protection to identify if the device is not a real user<\/span>\u00a0<\/span><\/td>\n<\/tr>\n

EmuInfo<\/span><\/b>\u00a0<\/span><\/td>\nIt lists all adbProperties that in a real device are around 640 properties. This list is encoded as a string param in URL encoded format.<\/span>\u00a0<\/span><\/p>\n

This data may be used to determinate if the affected client is a real device or emulator since it contains params such as:<\/span>\u00a0<\/span><\/p>\n

    \n
  • CPU<\/span>\u00a0<\/span><\/li>\n
  • Memory\u00a0<\/span>\u00a0<\/span><\/li>\n
  • Sensors<\/span>\u00a0<\/span><\/li>\n
  • USB Configuration<\/span>\u00a0<\/span><\/li>\n
  • ADB Status<\/span>\u00a0<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
RootInfo<\/span><\/b>\u00a0<\/span><\/td>\nAfter trying to identify if the device is rooted or not with multiple techniques the output is consolidated in this command<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Packages<\/span><\/b>\u00a0<\/span><\/td>\nIt uses the system commands \u201cpm list packages -s\u201d and \u201cpm list packages -3\u201d to list system and installed apps on the device.<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Accessibility<\/span><\/b>\u00a0<\/span><\/td>\nIt provides the status if accessibility services permissions are granted or not<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
GetURL<\/span><\/b>\u00a0<\/span><\/td>\nThis command only provides the Android Id and it\u2019s a request for the second-stage payload. The C2 evaluates the provided client request and returns a status and an encrypted assembly DLL.<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Data Encryption in JWT<\/span>\u00a0<\/span><\/h2>\n

To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it\u2019s encrypted as <\/span>a JSON Web Encryption<\/span><\/a> (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm however the RSA key values used by the Xamalicious are hardcoded in the decompiled malicious DLL so decryption of transmitted information is possible if C2 infrastructure is available during the analysis.<\/span>\u00a0<\/span><\/p>\n

In the Send() function Android\/Xamalicious first prepares the received object, usually a JSON structure calling the function encrypt() which creates the JWT using a hardcoded RSA key. So the data is exfiltrated fully encrypted to the malware host pointing to the path\u00a0 \u201c\/Updater\u201d via HTTP POST method.<\/span>\u00a0<\/span><\/p>\n

Then it waits for the C2 response and passes it to the decrypt() function which has a hardcoded RSA private key to properly decrypt the received command which might contain a second stage payload for the \u201cgetURL\u201d command.<\/span>\u00a0<\/span><\/p>\n

Encrypt Method:<\/span>\u00a0<\/span><\/p>\n

\"\"<\/center><\/p>\n

Figure 6. Encrypt function with hardcoded RSA Key values as XML string<\/span>\u00a0<\/span><\/p>\n

The decryption method is also hardcoded into malware which allowed the research team to intercept and decrypt the communication from the C2 using the RSA key values provided as XML string it\u2019s possible to build a certificate with the parameters to decrypt the JWE tokens content.<\/span>\u00a0<\/span><\/p>\n

C2 evaluation<\/span><\/h2>\n

Collected data is transmitted to the C&C to determine if the device is a proper target to download a second-stage payload. The self-protection mechanism of the malware authors goes beyond traditional emulation detection and country code operator limitations because in this case, the command-and-control server will not deliver the second stage payload if the device is rooted or connected as ADB via USB or does not have a SIM card among multiple other environment validations.<\/span>\u00a0<\/span><\/p>\n

DLL Custom Encryption<\/span>\u00a0<\/span><\/h2>\n

With the getURL command, the infected client requests the malicious payload, if the C&C Server determines that the device is \u201cOk\u201d to receive the malicious library it will encrypt a DLL with Advanced encryption standard (AES) in Cipher block chaining (CBC) using a custom key for the client that requested it based on the device id and other parameters explained below to decrypt the code since it\u2019s a symmetric encryption method, the same key works for encryption and decryption of the payload.<\/span>\u00a0<\/span><\/p>\n

Delivers the Payload in JWT<\/span>\u00a0<\/span><\/h2>\n

The encrypted DLL is inserted as part of the HTTP response in the encrypted JSON Web Token \u201cJWT\u201d. Then the client will receive the token, decrypt it, and then decrypt the \u2018url\u2019 parm with AES CBC and a custom key. <\/span>\u00a0<\/span><\/p>\n

The AES key used to decrypt the assembly is unique per infected device and its string of 32 chars of length contains appended the device ID, brand, model, and a hardcoded padding of \u201c1\u201d up to 32 chars of length.<\/span>\u00a0<\/span><\/p>\n

For instance, if the device ID is 0123456ABCDEF010 and the affected device is a Pixel 5, then the AES key is: \u201c0123456ABCDEF010googlePixel 5111\u201d<\/span>\u00a0<\/span><\/p>\n

This means that the DLL has multiple layers of encryption.<\/span>\u00a0<\/span><\/p>\n

    \n
  1. It\u2019s a HTTPS protected.<\/span><\/li>\n
  2. It\u2019s encrypted as a JWE Token using RSA-OAEP with a 128CBC-HS256 algorithm.<\/span><\/li>\n
  3. URL parameter that contains the DLL is encrypted with AES and encoded as base64<\/span>\u00a0<\/span><\/li>\n<\/ol>\n

    All these efforts are related to hiding the payload and trying to stay under the radar where this threat had relative success since some variants might have been active years ago without AV detections.<\/span>\u00a0<\/span><\/p>\n

    DLL Injected<\/span>\u00a0<\/span><\/h2>\n

    Xamalicious will name this DLL \u201ccache.bin\u201d and store it in the local system to finally dynamically load it using the <\/span>Assembly.Load method<\/span><\/a>.<\/span>\u00a0<\/span><\/p>\n

    \"\"<\/center>Figure 7. Loading of second stage payload using Assembly.Load method.<\/span>\u00a0<\/span><\/p>\n

    Once the second stage payload has been loaded the device can be fully compromised because once accessibility permissions are granted, it can obverse and interact with any activity opening a backdoor to any type of malicious activity.<\/span>\u00a0<\/span><\/p>\n

    During the analysis, the downloaded second stage payload contained a DLL with the class \u201cMegaSDKXE\u201d which was obfuscated and incomplete probably because the C2 didn\u2019t receive the expected params to provide the complete malicious second stage that might be limited to a specific carrier, language, app installed, location, time zone or unknown conditions of the affected device, however, we can assure that this is a high-risk backdoor that leaves the possibility to dynamically execute any command on the affected device not limited to spying, impersonation or as a financially motivated malware.<\/span>\u00a0<\/span><\/p>\n

    Cash Magnet Ad-Fraud and Xamalicious<\/h2>\n

    One of the Xamalicious samples detected by McAfee Mobile generic signatures was \u201cLetterLink\u201d (com.regaliusgames.llinkgame) which was available on Google Play at the end of 2020, with a book icon. It was poorly described as a hidden version of \u201cCash Magnet\u201d: An app that performs ad-fraud with automated clicker activity, apps downloads, and other tasks that lead to monetization for affiliate marketing. This application offers users points that are supposed to be redeemable by retail gift cards or cryptocurrency.<\/p>\n

    \"\"<\/center><\/p>\n

    Figure 8a. LetterLink login page after running the app for the first time.<\/p>\n

    \"\"<\/center><\/p>\n

    Figure 8b. LetterLink agreement for Cash Magnet<\/p>\n

    Originally published in 2019 on Google Play, \u201cCash Magnet\u201d (com.uicashmagnet) was described as a passive income application offering users to earn up to $30 USD per month running automated ads. Since it was removed by Google the authors then infiltrated LetterLink and more recently \u201cDots: One Line Connector\u201d (com.orlovst.dots) which are hidden versions of the same ad-fraud scheme.<\/p>\n

    \"\"<\/center><\/p>\n

    Figure 9. LetterLink Icon that hides Cash Magnet<\/p>\n

    \u201cLetterLink\u201d performs multiple Xamalicious activities since it contains the \u201ccore.dll\u201d library, it connects to the same C2 server, and it uses the same hardcoded private RSA certificate to build the JWE encrypted tokens which provide a non-repudiation proof that the developers of Cash Magnet are behind Xamalicious.<\/p>\n

    \"\"<\/center><\/p>\n

    Figure 10. Cash Magnet infiltrated the app as a Game, available until the end of 2023<\/p>\n

    \u201cDots: One Line Connector\u201d app is not a game, the screenshot published by Google Play does not correspond to the application behavior because once it is started it just asks for authentication credentials without any logo or reference to Cash Magnet. \u201cDots\u201d does not contain the same DLLs as its predecessor, however the communication with the C2 is similar using the same RSA key parameters. We reported this app to Google and they promptly removed it from Google Play.<\/p>\n

    Affected Users<\/span>\u00a0<\/span><\/h2>\n

    Based on our telemetry we observed that more affected users are in the American continent with the most activity in the USA, Brazil, and Argentina. In Europe, clients also reported the infection, especially in the UK, Spain, and Germany.<\/span>\u00a0<\/span><\/p>\n

    \"\"<\/center><\/p>\n

    Figure 11. McAfee detections Android\/Xamalicious around the world<\/span>\u00a0<\/span><\/p>\n

    Conclusion<\/span>\u00a0<\/span><\/h2>\n

    Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets.<\/span>\u00a0<\/span><\/p>\n

    Avoid using apps that require accessibility services unless there is a genuine need for use. If a new app tries to convince you to activate accessibility services claiming that it\u2019s required without a real and reasonable reason and requesting to ignore the operative system warning, then it\u2019s a red flag.<\/span>\u00a0<\/span><\/p>\n

    The second stage payload might take control of the device because accessibility permissions are granted so any other permission or action can then be performed by the malware if these instructions are provided in the injected code.<\/span>\u00a0<\/span><\/p>\n

    Because it is difficult for users to actively deal with all these threats, we strongly recommend that users install security software on their devices and always keep up to date. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience.<\/span>\u00a0<\/span><\/p>\n

    Android\/Xamalicious Samples Distributed on Google Play:<\/span>\u00a0<\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    Package Name<\/span><\/b>\u00a0<\/span><\/td>\nApp Name<\/span><\/b>\u00a0<\/span><\/td>\nInstalls<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
    com.anomenforyou.essentialhoroscope<\/span>\u00a0<\/span><\/td>\nEssential Horoscope for Android<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0 100,000\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.littleray.skineditorforpeminecraft<\/span>\u00a0<\/span><\/td>\n3D Skin Editor for PE Minecraft<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0 100,000\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.vyblystudio.dotslinkpuzzles<\/span>\u00a0<\/span><\/td>\nLogo Maker Pro<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0 100,000\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.autoclickrepeater.free<\/span>\u00a0<\/span><\/td>\nAuto Click Repeater<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10,000\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.lakhinstudio.counteasycaloriecalculator<\/span>\u00a0<\/span><\/td>\nCount Easy Calorie Calculator<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10,000\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.muranogames.easyworkoutsathome<\/span>\u00a0<\/span><\/td>\nSound Volume Extender<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5,000\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.regaliusgames.llinkgame<\/span>\u00a0<\/span><\/td>\nLetterLink<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1,000\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.Ushak.NPHOROSCOPENUMBER<\/span>\u00a0<\/span><\/td>\nNUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1,000\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.browgames.stepkeepereasymeter<\/span>\u00a0<\/span><\/td>\nStep Keeper: Easy Pedometer<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 500\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.shvetsStudio.trackYourSleep<\/span>\u00a0<\/span><\/td>\nTrack Your Sleep<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 500\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.devapps.soundvolumebooster<\/span>\u00a0<\/span><\/td>\nSound Volume Booster<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 100\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.Osinko.HoroscopeTaro<\/span>\u00a0<\/span><\/td>\nAstrological Navigator: Daily Horoscope & Tarot<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 100\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
    com.Potap64.universalcalculator<\/span>\u00a0<\/span><\/td>\nUniversal Calculator<\/span>\u00a0<\/span><\/td>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 100\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Indicators of Compromise<\/span>\u00a0<\/span><\/h2>\n\n\n\n
    \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    Hash<\/td>\nPackageName<\/td>\n<\/tr>\n
    7149acb072fe3dcf4dcc6524be68bd76a9a2896e125ff2dddefb32a4357f47f6<\/td>\ncom.android.accessibility.service<\/td>\n<\/tr>\n
    a5de2dc4e6005e75450a0df0ea83816996092261f7dac30b5cf909bf6daaced0<\/td>\ncom.android.accessibility.service<\/td>\n<\/tr>\n
    22803693c21ee17667d764dd226177160bfc2a5d315e66dc355b7366b01df89b<\/td>\ncom.android.callllogbacup<\/td>\n<\/tr>\n
    efbb63f9fa17802f3f9b3a0f4236df268787e3d8b7d2409d1584d316dabc0cf9<\/td>\ncom.android.dreammusic<\/td>\n<\/tr>\n
    e801844333031b7fd4bd7bb56d9fb095f0d89eb89d5a3cc594a4bed24f837351<\/td>\ncom.android.statementsandservices<\/td>\n<\/tr>\n
    5fffb10487e718634924552b46e717bbcbb6a4f9b1fed02483a6517f9acd2f61<\/td>\ncom.android.ui.clock<\/td>\n<\/tr>\n
    81a9a6c86b5343a7170ae5abd15f9d2370c8282a4ed54d8d28a3e1ab7c8ae88e<\/td>\ncom.android.ui.clock<\/td>\n<\/tr>\n
    9c646516dd189cab1b6ced59bf98ade42e19c56fc075e42b85d597449bc9708b<\/td>\ncom.android.version.shared<\/td>\n<\/tr>\n
    dfdca848aecb3439b8c93fd83f1fd4036fc671e3a2dcae9875b4648fd26f1d63<\/td>\ncom.anomenforyou.essentialhoroscope<\/td>\n<\/tr>\n
    e7ffcf1db4fb13b5cb1e9939b3a966c4a5a894f7b1c1978ce6235886776c961e<\/td>\ncom.autoclickrepeater.free<\/td>\n<\/tr>\n
    8927ff14529f03cbb2ebf617c298f291c2d69be44a8efa4e0406dea16e53e6f9<\/td>\ncom.autoclickrepeater.free<\/td>\n<\/tr>\n
    117fded1dc51eff3788f1a3ec2b941058ce32760acf61a35152be6307f6e2052<\/td>\ncom.browgames.stepkeepereasymeter<\/td>\n<\/tr>\n
    28a4ae5c699a7d96e963ca5ceec304aa9c4e55bc661e16c194bdba9a8ad847b7<\/td>\ncom.devapps.soundvolumebooster<\/td>\n<\/tr>\n
    b0b9a8e9ec3d0857b70464617c09ffffce55671b227a9fdbb178be3dbfebe8ed<\/td>\ncom.kolomia.mineskineditor<\/td>\n<\/tr>\n
    899b0f186c20fdbfe445b4722f4741a5481cd3cbcb44e107b8e01367cccfdda3<\/td>\ncom.lakhinstudio.counteasycaloriecalculator<\/td>\n<\/tr>\n
    e52b65fdcb77ed4f5989a69d57f1f53ead58af43fa4623021a12bc11cebe29ce<\/td>\ncom.lakhinstudio.counteasycaloriecalculator<\/td>\n<\/tr>\n
    e694f9f7289677adaf2c2e93ba0ac24ae38ab9879a34b86c613dd3c60a56992d<\/td>\ncom.littleray.skineditorforpeminecraft<\/td>\n<\/tr>\n
    19ffe895b0d1be65847e01d0e3064805732c2867ce485dfccc604432faadc443<\/td>\ncom.muranogames.easyworkoutsathome<\/td>\n<\/tr>\n
    6a3455ff881338e9337a75c9f2857c33814b7eb4060c06c72839b641b347ed36<\/td>\ncom.Osinko.HoroscopeTaro<\/td>\n<\/tr>\n
    e6668c32b04d48209d5c71ea96cb45a9641e87fb075c8a7697a0ae28929913a6<\/td>\ncom.Potap64.universalcalculator<\/td>\n<\/tr>\n
    6953ba04233f5cf15ab538ae191a66cb36e9e0753fcaeeb388e3c03260a64483<\/td>\ncom.regaliusgames.llinkgame<\/td>\n<\/tr>\n
    01c56911c7843098777ec375bb5b0029379b0457a9675f149f339b7db823e996<\/td>\ncom.shvetsStudio.trackYourSleep<\/td>\n<\/tr>\n
    3201785a7de8e37e5d12e8499377cfa3a5b0fead6667e6d9079d8e99304ce815<\/td>\ncom.turovskyi.magicofnumbers<\/td>\n<\/tr>\n
    acb5de2ed2c064e46f8d42ee82feabe380364a6ef0fbfeb73cf01ffc5e0ded6b<\/td>\ncom.Ushak.NPHOROSCOPENUMBER<\/td>\n<\/tr>\n
    9b4dc1e80a4f4c798d0d87a52f52e28700b5b38b38a532994f70830f24f867ba<\/td>\ncom.Ushak.NPHOROSCOPENUMBER<\/td>\n<\/tr>\n
    1bfc02c985478b21c6713311ca9108f6c432052ea568458c8bd7582f0a825a48<\/td>\ncom.vyblystudio.dotslinkpuzzles<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

    Authored by Fernando Ruiz\u00a0 McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows…<\/p>\n","protected":false},"author":695,"featured_media":179386,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1838,442],"tags":[],"coauthors":[4136],"class_list":["post-178502","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobile-security","category-mcafee-labs"],"acf":[],"yoast_head":"\nStealth Backdoor \u201cAndroid\/Xamalicious\u201d Actively Infecting Devices | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Fernando Ruiz\u00a0 McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Stealth Backdoor \u201cAndroid\/Xamalicious\u201d Actively Infecting Devices | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Fernando Ruiz\u00a0 McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-22T19:34:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-11T16:35:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/12\/figure_1-149x300.png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Stealth Backdoor \u201cAndroid\/Xamalicious\u201d Actively Infecting Devices\",\"datePublished\":\"2023-12-22T19:34:18+00:00\",\"dateModified\":\"2024-06-11T16:35:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/\"},\"wordCount\":2971,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/12\/300x200_Blog_060523.png\",\"articleSection\":[\"Mobile Security\",\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/\",\"name\":\"Stealth Backdoor \u201cAndroid\/Xamalicious\u201d Actively Infecting Devices | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/12\/300x200_Blog_060523.png\",\"datePublished\":\"2023-12-22T19:34:18+00:00\",\"dateModified\":\"2024-06-11T16:35:17+00:00\",\"description\":\"Authored by Fernando Ruiz\u00a0 McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/12\/300x200_Blog_060523.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/12\/300x200_Blog_060523.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Stealth Backdoor \u201cAndroid\/Xamalicious\u201d Actively Infecting Devices\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Stealth Backdoor \u201cAndroid\/Xamalicious\u201d Actively Infecting Devices | McAfee Blog","description":"Authored by Fernando Ruiz\u00a0 McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Stealth Backdoor \u201cAndroid\/Xamalicious\u201d Actively Infecting Devices | McAfee Blog","og_description":"Authored by Fernando Ruiz\u00a0 McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2023-12-22T19:34:18+00:00","article_modified_time":"2024-06-11T16:35:17+00:00","og_image":[{"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/12\/figure_1-149x300.png","type":"","width":"","height":""}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Stealth Backdoor \u201cAndroid\/Xamalicious\u201d Actively Infecting Devices","datePublished":"2023-12-22T19:34:18+00:00","dateModified":"2024-06-11T16:35:17+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/"},"wordCount":2971,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/12\/300x200_Blog_060523.png","articleSection":["Mobile Security","McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/","name":"Stealth Backdoor \u201cAndroid\/Xamalicious\u201d Actively Infecting Devices | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/12\/300x200_Blog_060523.png","datePublished":"2023-12-22T19:34:18+00:00","dateModified":"2024-06-11T16:35:17+00:00","description":"Authored by Fernando Ruiz\u00a0 McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/12\/300x200_Blog_060523.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/12\/300x200_Blog_060523.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stealth-backdoor-android-xamalicious-actively-infecting-devices\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Stealth Backdoor \u201cAndroid\/Xamalicious\u201d Actively Infecting Devices"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/178502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=178502"}],"version-history":[{"count":17,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/178502\/revisions"}],"predecessor-version":[{"id":193663,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/178502\/revisions\/193663"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/179386"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=178502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=178502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=178502"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=178502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}