Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday April 17 2020, @12:43AM   Printer-friendly
from the where's-xhelper dept.

The secret behind "unkillable" Android backdoor called xHelper has been revealed:

In February, a researcher detailed a widely circulating Android backdoor that's so pernicious that it survives factory resets, a trait that makes the malware impossible to remove without taking unusual measures.

The analysis found that the unusual persistence was the result of rogue folders containing a trojan installer, neither of which was removed by a reset. The trojan dropper would then reinstall the backdoor in the event of a reset. Despite those insights, the researcher still didn't know precisely how that happened. Now, a different researcher has filled in the missing pieces. More about that later. First, a brief summary of xHelper.

The malicious Android app poses as a performance enhancer that removes old and unneeded files. Antivirus provider Malwarebytes has detected it on 33,000 devices, mainly located in the United States, while AV from Russia-based Kaspersky Lab found it on 50,000 devices. There's no evidence xHelper has ever been distributed through Google Play.

Once installed, xHelper installs a backdoor that remotely installs apps downloaded from an attacker-controlled server. It also executes commands as a superuser, a powerful privilege setting that gives the malware unfettered system rights. Besides that, the backdoor has access to sensitive data, including browser cookies used to sign in to sites automatically. Once the backdoor is installed, the fake cleaner app disappears from the main screen and program menu and can only be viewed by inspecting the list of installed apps in the system settings.

Previously:
Android Users Hit With 'Unkillable Malware'


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday April 17 2020, @02:55AM

    by Anonymous Coward on Friday April 17 2020, @02:55AM (#983921)

    Mysterious origins
    While the exact origins of xHelper is being actively investigated, Symantec suspects two different possibilities: a rogue app laced with the malware is possibly being downloaded by users from unknown sources, or a malicious system app that’s persistently downloading the malware despite users performing factory resets and manually uninstalling it.

    MalwareBytes researchers, on the other hand, believe it’s being spread via shady game websites that trick unsuspecting users into downloading apps from untrusted third-party sources.

    Aside from operating silently in the background, xHelper takes its stealth behavior to new heights by not creating an app icon or a shortcut icon on the home screen launcher. The only indicator is a listing in the app info section of the infected phone’s settings.

    The lack of an app icon means the malware cannot be launched manually. But to get around the problem, it relies on external triggers — like connecting or disconnecting the infected device from a power supply, rebooting a device, or installing or uninstalling an app — to run itself as a foreground service that minimizes the chance of getting killed.

    https://thenextweb.com/security/2019/10/30/45000-android-devices-infected-by-new-unremovable-xhelper-malware/ [thenextweb.com]