Thousands infected with malware that 'reinstalls itself'

More than 45,000 Android devices have been affected by the Xhelper malware since March

There's been a surge in the number of Android devices infected with a malicious app that can hide from the launcher, download other malware, and reinstall itself after it's removed.

Xhelper is a "persistent" malware that remains on Android devices even after users uninstall it manually, researchers have warned, with at least 45,000 machines affected since infections were first seen in March.

Advertisement - Article continues below

The attack mechanism used, and the pool of malware stored on its command and control (C&C) server, means the cyber criminals behind Xhelper can execute a range of functions. These can range from data theft to complete takeover of a device.

Xhelper's code was simple when first seen in the wild, with its main functions centred on taking users to ad pages in order to monetise.

The malware has grown more sophisticated with time, however, with the ability to connect to its C&C server now coming in the form of an encrypted payload, for instance. This has been done in an attempt to evade detection.

"We strongly believe that the malware's source code is still a work in progress," Symantec software engineer May Ying Tee said.

"For example, we spotted many classes and constant variables labeled as 'Jio'.

Advertisement - Article continues below

"These classes are unimplemented for now but we suspect that the attackers may be planning to target Jio users at a future date (Reliance Jio Infocomm Limited, also known as Jio, is the largest 4G network in India, with more than 300 million subscribers)."

Advertisement - Article continues below

Xhelper does not have a conventional user interface (UI) and is instead an application component, which means it won't be listed in an infected device's app launcher. It can't also be launched manually, given there's no app icon.

Related Resource

Thousands infected with malware that 'reinstalls itself'

More than 45,000 Android devices have been affected by the Xhelper malware since March

The app is launched by certain external events, such as when a device is connected to the power supply, if the device is rebooted, or if an app is installed or uninstalled.

Once launched, Xhelper registers itself as a foreground service, which lowers the chances that it's closed when users try to save memory. If it is shut down, the app simply restarts itself.

From this point, Xhelper downloads and decrypts a malicious payload that allows connection with the C&C server, before waiting for commands. Additional payloads may then be downloaded, including droppers, clickers and rootkits.

From the samples analysed, researchers learned that Xhelper was not sourced from the Google Play Store, and that it was also installed more frequently on certain phone brands. There are no suggestions that it comes preinstalled on devices, however.

As for why Xhelper keeps reinstalling itself, it's unlikely the malicious apps are system apps, meaning there may be another malicious system app that's persistently downloading the malware. This is an area Symantec researchers are currently probing.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



Evasive malware threats doubled in 2019

24 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020

Best free malware removal tools 2019

2 Mar 2020

Most Popular


Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020