Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday April 17 2020, @12:43AM   Printer-friendly
from the where's-xhelper dept.

The secret behind "unkillable" Android backdoor called xHelper has been revealed:

In February, a researcher detailed a widely circulating Android backdoor that's so pernicious that it survives factory resets, a trait that makes the malware impossible to remove without taking unusual measures.

The analysis found that the unusual persistence was the result of rogue folders containing a trojan installer, neither of which was removed by a reset. The trojan dropper would then reinstall the backdoor in the event of a reset. Despite those insights, the researcher still didn't know precisely how that happened. Now, a different researcher has filled in the missing pieces. More about that later. First, a brief summary of xHelper.

The malicious Android app poses as a performance enhancer that removes old and unneeded files. Antivirus provider Malwarebytes has detected it on 33,000 devices, mainly located in the United States, while AV from Russia-based Kaspersky Lab found it on 50,000 devices. There's no evidence xHelper has ever been distributed through Google Play.

Once installed, xHelper installs a backdoor that remotely installs apps downloaded from an attacker-controlled server. It also executes commands as a superuser, a powerful privilege setting that gives the malware unfettered system rights. Besides that, the backdoor has access to sensitive data, including browser cookies used to sign in to sites automatically. Once the backdoor is installed, the fake cleaner app disappears from the main screen and program menu and can only be viewed by inspecting the list of installed apps in the system settings.

Previously:
Android Users Hit With 'Unkillable Malware'


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by anubi on Friday April 17 2020, @03:36AM

    by anubi (2828) on Friday April 17 2020, @03:36AM (#983943) Journal

    Some more...

    "Hidden inside a directory named com.mufc.umbtts was an Android application package, or APK, that dropped an xHelper variant. The variant, in turn, dropped more malware within seconds."

    Apparently, she was able to rid herself of this nuisance by deleting the folders...

    I guess it goes without saying to stay offline until you clean up the mess.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  

    Total Score:   3