Thousands infected with malware that 'reinstalls itself'

More than 45,000 Android devices have been affected by the Xhelper malware since March

There's been a surge in the number of Android devices infected with a malicious app that can hide from the launcher, download other malware, and reinstall itself after it's removed.

Xhelper is a "persistent" malware that remains on Android devices even after users uninstall it manually, researchers have warned, with at least 45,000 machines affected since infections were first seen in March.

The attack mechanism used, and the pool of malware stored on its command and control (C&C) server, means the cyber criminals behind Xhelper can execute a range of functions. These can range from data theft to complete takeover of a device.

Xhelper's code was simple when first seen in the wild, with its main functions centred on taking users to ad pages in order to monetise.

The malware has grown more sophisticated with time, however, with the ability to connect to its C&C server now coming in the form of an encrypted payload, for instance. This has been done in an attempt to evade detection.

"We strongly believe that the malware's source code is still a work in progress," Symantec software engineer May Ying Tee said.

"For example, we spotted many classes and constant variables labeled as 'Jio'.

"These classes are unimplemented for now but we suspect that the attackers may be planning to target Jio users at a future date (Reliance Jio Infocomm Limited, also known as Jio, is the largest 4G network in India, with more than 300 million subscribers)."

Xhelper does not have a conventional user interface (UI) and is instead an application component, which means it won't be listed in an infected device's app launcher. It can't also be launched manually, given there's no app icon.

Related Resource

Thousands infected with malware that 'reinstalls itself'

More than 45,000 Android devices have been affected by the Xhelper malware since March

The app is launched by certain external events, such as when a device is connected to the power supply, if the device is rebooted, or if an app is installed or uninstalled.

Once launched, Xhelper registers itself as a foreground service, which lowers the chances that it's closed when users try to save memory. If it is shut down, the app simply restarts itself.

From this point, Xhelper downloads and decrypts a malicious payload that allows connection with the C&C server, before waiting for commands. Additional payloads may then be downloaded, including droppers, clickers and rootkits.

From the samples analysed, researchers learned that Xhelper was not sourced from the Google Play Store, and that it was also installed more frequently on certain phone brands. There are no suggestions that it comes preinstalled on devices, however.

As for why Xhelper keeps reinstalling itself, it's unlikely the malicious apps are system apps, meaning there may be another malicious system app that's persistently downloading the malware. This is an area Symantec researchers are currently probing.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
8 of the most secure web browsers
web browser

8 of the most secure web browsers

25 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020