Thousands infected with malware that 'reinstalls itself'

More than 45,000 Android devices have been affected by the Xhelper malware since March

There's been a surge in the number of Android devices infected with a malicious app that can hide from the launcher, download other malware, and reinstall itself after it's removed.

Xhelper is a "persistent" malware that remains on Android devices even after users uninstall it manually, researchers have warned, with at least 45,000 machines affected since infections were first seen in March.

The attack mechanism used, and the pool of malware stored on its command and control (C&C) server, means the cyber criminals behind Xhelper can execute a range of functions. These can range from data theft to complete takeover of a device.

Xhelper's code was simple when first seen in the wild, with its main functions centred on taking users to ad pages in order to monetise.

Advertisement - Article continues below

The malware has grown more sophisticated with time, however, with the ability to connect to its C&C server now coming in the form of an encrypted payload, for instance. This has been done in an attempt to evade detection.

"We strongly believe that the malware's source code is still a work in progress," Symantec software engineer May Ying Tee said.

"For example, we spotted many classes and constant variables labeled as 'Jio'.

"These classes are unimplemented for now but we suspect that the attackers may be planning to target Jio users at a future date (Reliance Jio Infocomm Limited, also known as Jio, is the largest 4G network in India, with more than 300 million subscribers)."

Xhelper does not have a conventional user interface (UI) and is instead an application component, which means it won't be listed in an infected device's app launcher. It can't also be launched manually, given there's no app icon.

Related Resource

Thousands infected with malware that 'reinstalls itself'

More than 45,000 Android devices have been affected by the Xhelper malware since March

The app is launched by certain external events, such as when a device is connected to the power supply, if the device is rebooted, or if an app is installed or uninstalled.

Once launched, Xhelper registers itself as a foreground service, which lowers the chances that it's closed when users try to save memory. If it is shut down, the app simply restarts itself.

From this point, Xhelper downloads and decrypts a malicious payload that allows connection with the C&C server, before waiting for commands. Additional payloads may then be downloaded, including droppers, clickers and rootkits.

From the samples analysed, researchers learned that Xhelper was not sourced from the Google Play Store, and that it was also installed more frequently on certain phone brands. There are no suggestions that it comes preinstalled on devices, however.

As for why Xhelper keeps reinstalling itself, it's unlikely the malicious apps are system apps, meaning there may be another malicious system app that's persistently downloading the malware. This is an area Symantec researchers are currently probing.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Best antivirus for Windows 10

3 Sep 2019

Best free malware removal tools 2019

8 Mar 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019

Five signs that it’s time to retire IT kit

29 Nov 2019