Doctor Web experts discovered new samples of the Android.Xiny family of Trojans. This malware endangers 25% of users and it is almost impossible to remove.
Android.Xiny has been known to IS experts since 2015 and it is still dangerous for users. It continues to develop, because, according to Google, 25.2% of devices still run Android 5.1 and lower, which means they are excellent targets for Android.Xiny.Starting with the earliest versions, the main function of the Android.Xiny Trojan is to install arbitrary applications on the device without user permission. Thus, attackers can earn money by participating in affiliate programs that pay for each installation.
Malware developers are actively distributing such Trojans through various sites, from collections of software for mobile devices to official application directories such as Google Play”, – say Dr.Web experts.
Installed on the Android device, the Android.Xiny family of malware tries to gain root access to be able to quietly download and install various software. In addition, trojans can display intrusive ads. One of the main features of this family of malware from the very beginning was a unique mechanism of protection against removal.
It is based on the fact that the Trojan apk-files are assigned the attribute “immutable” (immutable). As a result, the attempt to remove the application look successful, its data is deleted, but the apk file itself was still in place. After rebooting the device, the application “appeared” again.
The creators of all kinds of Trojans and ransomware began to act quite inventively: for example, we recently talked about the fact that Famous Ryuk ransomware now uses the Wake-on-LAN feature to turn on devices in a compromised network and ensure better encryption
Now, at the end of 2019, researchers discovered new Android.Xiny samples, noting changes in the system file/system/lib/libc.so. This is one of the main libraries of Linux-based operating systems that is responsible for system calls and basic functions.
Currently, the Trojan’s self-defense consists of two parts: its installer uninstalls root-rights management applications, and the modified libc.so library prevents it from being installed again. In addition, this protection disables “competitors” – another malware that gets root rights and installs in the system partition, because they work on the same principle as “good” applications for getting root”, – say the researchers.
How to get rid of Android.Xiny.5260?
Getting rid of the latest Android.Xiny.5260 is difficult, for example, for this you can reinstall firmware of the device (please be sure there is firmware for it in the public domain). You can also remove the malware in another way. So, to get root access, you can use exploits in the form of so-libraries. Unlike executable files, the Trojan does not block their download. You can also use the component of the Trojan itself, which is designed to provide root rights to its other parts. It receives commands through the socket along the path/dev/socket/hs_linux_work201908091350 (the path may differ in different modifications).
As for bypassing the mount lock, you can use the “magic” value of the mountflags parameter, or directly call the corresponding syscall.