This article was published on October 30, 2019

45,000 Android devices infected by new unremovable xHelper malware


45,000 Android devices infected by new unremovable xHelper malware

A new kind of Android malware capable of reinstalling itself even after being manually removed has reportedly infected more than 45,000 Android devices over the last six months.

The latest findings — disclosed by cybersecurity firm Symantec — come after a similar disclosure by MalwareBytes, which first spotted the malware in the wild in May 2019.

Called xHelper, the Trojan — affecting mostly users in India, the US, and Russia — has since shot up to the top 10 list of most detected mobile malware, with Symantec observing what it calls “a surge in detections” of the malicious Android malware that can hide itself from users, download additional malicious apps, and display advertisements.

“In the past month alone, there was an average of 131 devices infected each day, and an average of 2,400 devices persistently infected throughout the month,” the company said. It’s worth noting that MalwareBytes had pegged the number of affected phones at 33,000, suggesting a rapid increase in just over two months.

Mysterious origins

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

While the exact origins of xHelper is being actively investigated, Symantec suspects two different possibilities: a rogue app laced with the malware is possibly being downloaded by users from unknown sources, or a malicious system app that’s persistently downloading the malware despite users performing factory resets and manually uninstalling it.

MalwareBytes researchers, on the other hand, believe it’s being spread via shady game websites that trick unsuspecting users into downloading apps from untrusted third-party sources.

Aside from operating silently in the background, xHelper takes its stealth behavior to new heights by not creating an app icon or a shortcut icon on the home screen launcher. The only indicator is a listing in the app info section of the infected phone’s settings.

The lack of an app icon means the malware cannot be launched manually. But to get around the problem, it relies on external triggers — like connecting or disconnecting the infected device from a power supply, rebooting a device, or installing or uninstalling an app — to run itself as a foreground service that minimizes the chance of getting killed.

From adware to potent threat

The good news, if there can be one, is that the malware doesn’t do anything particularly sophisticated, other than bombarding device owners with intrusive pop-up ads and spam the device with notifications for free games. But it could be deftly exploited to deliver additional second-stage malware payloads given its meticulously crafted evasion tactics to avoid detection.

This could easily morph the malware from an adware annoyance to a significant security threat capable of installing other malicious applications on the device or even remotely taking over the device entirely.

Symantec said xHelper’s functionality has expanded drastically in recent times, although the researchers warn it’s constantly evolving to target new victims. The unfinished code — with many variables labeled as ‘Jio’ — has led the researchers to suspect that the attackers may be planning to target Jio users at a future date.

For those who are unfamiliar, Jio is the second largest cellular network in India operated by Reliance Industries boasting of over 300 million subscribers.

To safeguard your devices from such attacks, it’s always recommended that you keep devices and apps up-to-date, stick to the Google Play Store for downloading apps, and be extremely cautious of the mobile websites you visit.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with