Thousands infected with malware that 'reinstalls itself'

More than 45,000 Android devices have been affected by the Xhelper malware since March

There's been a surge in the number of Android devices infected with a malicious app that can hide from the launcher, download other malware, and reinstall itself after it's removed.

Xhelper is a "persistent" malware that remains on Android devices even after users uninstall it manually, researchers have warned, with at least 45,000 machines affected since infections were first seen in March.

The attack mechanism used, and the pool of malware stored on its command and control (C&C) server, means the cyber criminals behind Xhelper can execute a range of functions. These can range from data theft to complete takeover of a device.

Xhelper's code was simple when first seen in the wild, with its main functions centred on taking users to ad pages in order to monetise.

Advertisement - Article continues below
Advertisement - Article continues below

The malware has grown more sophisticated with time, however, with the ability to connect to its C&C server now coming in the form of an encrypted payload, for instance. This has been done in an attempt to evade detection.

"We strongly believe that the malware's source code is still a work in progress," Symantec software engineer May Ying Tee said.

"For example, we spotted many classes and constant variables labeled as 'Jio'.

"These classes are unimplemented for now but we suspect that the attackers may be planning to target Jio users at a future date (Reliance Jio Infocomm Limited, also known as Jio, is the largest 4G network in India, with more than 300 million subscribers)."

Xhelper does not have a conventional user interface (UI) and is instead an application component, which means it won't be listed in an infected device's app launcher. It can't also be launched manually, given there's no app icon.

Related Resource

Thousands infected with malware that 'reinstalls itself'

More than 45,000 Android devices have been affected by the Xhelper malware since March

The app is launched by certain external events, such as when a device is connected to the power supply, if the device is rebooted, or if an app is installed or uninstalled.

Advertisement - Article continues below

Once launched, Xhelper registers itself as a foreground service, which lowers the chances that it's closed when users try to save memory. If it is shut down, the app simply restarts itself.

From this point, Xhelper downloads and decrypts a malicious payload that allows connection with the C&C server, before waiting for commands. Additional payloads may then be downloaded, including droppers, clickers and rootkits.

From the samples analysed, researchers learned that Xhelper was not sourced from the Google Play Store, and that it was also installed more frequently on certain phone brands. There are no suggestions that it comes preinstalled on devices, however.

As for why Xhelper keeps reinstalling itself, it's unlikely the malicious apps are system apps, meaning there may be another malicious system app that's persistently downloading the malware. This is an area Symantec researchers are currently probing.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020