Xhelper malware attacks Android devices and shows extraordinary survival skills – it remains active even after resetting the system to factory settings.
The malware is capable of delivering various payloads to the smartphone, but so far has not performed any destructive actions, limiting itself to demonstrating advertising messages. Researchers observing the malware campaign since March 2019“Named xHelper, this malware was first spotted back in March but slowly expanded to infect more than 32,000 devices by August (per Malwarebytes), eventually reaching a total of 45,000 infections this month (per Symantec). The malware is on a clear upward trajectory. Symantec says the xHelper crew is making on average 131 new victims per day and around 2,400 new victims per month”, — write journalists from the ZDNet magazine.
Experts have not been able to pinpoint Xhelper’s distribution channels, but suggest that it can be downloaded through unofficial repositories. Alternatively, the victim can be redirected to a malicious web archive or install the malware along with a legitimate application.
As security analysts explained, smartphones of some brands are more often found in malware infection statistics than others. Nevertheless, experts doubt the possibility of an attack on the supply chain and suggest that malicious code loads one of the system applications that was deliberately modified by malicious users.
Once launched, Xhelper registers with the device as a high priority service. As a component of the application, the malware does not appear in the list of installed programs, which means it cannot be started manually or deleted from the phone in the conventional way.
Xhelper is activated by one of the following user actions:
- connecting or disconnecting the charger;
- reboot smartphone;
- install or uninstall an application.
Since the malware starts as a front-end service, it can continue to work even with a lack of RAM. Having settled in the system, he unpacks his components and loads them into memory, after which he establishes a secure SSL connection with the command server and downloads an additional payload from it.
Such functionality allows attackers to easily expand their range of interests – to target data theft or even take control of the device.
In October of this year, it became known that the banker Gustuff received an update and is again attacking Android devices. The program on the fly generates a fake login window when a victim visits a financial institution’s website or launches an online banking application. The malware is spread via links in SMS messages and is aimed at Australian users.
How to avoid becoming a victim of Xhelper?
There appears to be a battle between the xHelper crew and mobile antivirus solutions, with each one trying to get the better of the other.
Symantec’s research team recommends users to follow these tips to avoid getting infected with this persistent and almost impossible to get rid off malware:
- Keep your software up to date.
- Do not download apps from unfamiliar sites.
- Only install apps from trusted sources.
- Pay close attention to the permissions requested by apps.
- Make frequent backups of important data.
Malwarebytes Labs also recommends being cautious while browsing the web and carefully selecting the websites you visit on your Android device.