Arthur T Knackerbracket has found the following story:
An Android malware package likened to a Russian matryoshka nesting doll has security researchers raising the alarm, since it appears it's almost impossible to get rid of.
Known as xHelper, the malware has been spreading mainly in Russia, Europe, and Southwest Asia on Android 6 and 7 devices (which while old and out of date, make up around 15 per cent of the current user base) for the past year from unofficial app stores. Once on a gizmo, it opens a backdoor, allowing miscreants to spy on owners, steal their data, and cause mischief.
It has only recently been picked apart by Kaspersky Lab bods, and what makes the malware particularly nasty, the researchers say, is how it operates on multiple layers on the tablets and handsets it infects.
"The main feature of xHelper is entrenchment," explained Igor Golovin on Tuesday. "Once it gets into the phone, it somehow remains there even after the user deletes it and restores the factory settings."
[...] The best thing to do, though, is go a step further than a factory reset, and erase the flash memory completely, including the system partition, and put in a fresh clean copy. "If you have Recovery mode set up on your Android smartphone," said Golovin, "you can try to extract the libc.so file from the original firmware and replace the infected one with it, before removing all malware from the system partition. However, it’s simpler and more reliable to completely reflash the phone."
Even better advice is to avoid downloading any suspicious apps from the Google Play Store, just to be safe, and definitely don't use unauthorized third-party stores at all.
Related Stories
The secret behind "unkillable" Android backdoor called xHelper has been revealed:
In February, a researcher detailed a widely circulating Android backdoor that's so pernicious that it survives factory resets, a trait that makes the malware impossible to remove without taking unusual measures.
The analysis found that the unusual persistence was the result of rogue folders containing a trojan installer, neither of which was removed by a reset. The trojan dropper would then reinstall the backdoor in the event of a reset. Despite those insights, the researcher still didn't know precisely how that happened. Now, a different researcher has filled in the missing pieces. More about that later. First, a brief summary of xHelper.
The malicious Android app poses as a performance enhancer that removes old and unneeded files. Antivirus provider Malwarebytes has detected it on 33,000 devices, mainly located in the United States, while AV from Russia-based Kaspersky Lab found it on 50,000 devices. There's no evidence xHelper has ever been distributed through Google Play.
Once installed, xHelper installs a backdoor that remotely installs apps downloaded from an attacker-controlled server. It also executes commands as a superuser, a powerful privilege setting that gives the malware unfettered system rights. Besides that, the backdoor has access to sensitive data, including browser cookies used to sign in to sites automatically. Once the backdoor is installed, the fake cleaner app disappears from the main screen and program menu and can only be viewed by inspecting the list of installed apps in the system settings.
Previously:
Android Users Hit With 'Unkillable Malware'
(Score: 2, Funny) by Anonymous Coward on Wednesday April 08 2020, @08:20PM (8 children)
I peer over my walled garden and mock your malware problems.
(Score: 2) by DannyB on Wednesday April 08 2020, @09:58PM (1 child)
What if these malware 'problems' were targeted only at these ancient old versions by *cough* someone *cough* who would be interested in you getting a newer phone with a newer version of Android.
Naaaah. That could never happen.
The lower I set my standards the more accomplishments I have.
(Score: 1) by petecox on Thursday April 09 2020, @02:51AM
Until something better comes along.Sadly Librem 5 is unaffordable vaporware.
(Score: 3, Touché) by SomeGuy on Wednesday April 08 2020, @10:23PM (5 children)
I peer over my computerless POTS desk phone and mock your malware problems - and you.
(Score: 2) by Mojibake Tengu on Wednesday April 08 2020, @11:06PM (2 children)
Do you think your plain old desktop telephone cannot be tapped?
Respect Authorities. Know your social status. Woke responsibly.
(Score: 1, Informative) by Anonymous Coward on Thursday April 09 2020, @02:20AM
True, but give him credit. You'd need a soldering iron and a chunk of time to do it.
Those POTS phones can be hacked quiet easily, its just not as easy as remotely pwning a modern mobile phone
(Score: 2) by DannyB on Thursday April 09 2020, @04:05PM
Wait . . . um, you're saying that some kind of amazing technology has already been developed to tap POTS phones?
OMG!
The lower I set my standards the more accomplishments I have.
(Score: 1, Touché) by Anonymous Coward on Wednesday April 08 2020, @11:06PM (1 child)
Yeah, it's OK. You can go back to sleep again, Gramps.
(Score: 2) by DannyB on Thursday April 09 2020, @04:06PM
Not for long. Those old POTS phones have loud and annoying ringers. Actual physical bells.
The lower I set my standards the more accomplishments I have.
(Score: 4, Insightful) by epitaxial on Wednesday April 08 2020, @08:21PM (3 children)
Sounds like the majority of Android phones. Unless you buy a flagship phone from Samsung don't expect any more than one or two updates.
(Score: 1, Funny) by Anonymous Coward on Wednesday April 08 2020, @09:30PM
No risk then to my Android 4 phone.
(Score: 2) by looorg on Wednesday April 08 2020, @09:41PM
That is probably true, certainly for some of the older phones and phones in the various budget segments as they can't even be updated anymore -- they usually lack memory, storage etc to even get the newer updates so they are just shit out of luck in that regard.
Then I guess it's that whole issue of actually updating your phone. Most people just don't bother with it, they get a new phone instead.
Funny, not funny ha-ha, thing about it I wasn't even allowed to update my last work phone since it would break the APP used for a lot of inter-office communication etc (schedule sharing etc). So there is probably that aspect of it to.
Sure things look so much greener over there in the Apple garden ... no poison apples or snakes there ...
(Score: 2) by mcgrew on Thursday April 09 2020, @03:31PM
I just bought a new Motorola to replace my aging Kyocera, and as soon as it was set up it informed me of an available update, which I promptly downloaded and installed. That's quite unlike my three year old Acer tablet, a real piece of shit that got its first update last fall.
I never do commerce on the phone or tablet any way. In person or on the PC.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by acid andy on Wednesday April 08 2020, @08:34PM
At first glance, I must admit I read it as 'Unlikable Malware'. Looking at the world of mobile (cr)apps, you could believe the users probably think they like a lot of the malware.
If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
(Score: 3, Touché) by Anonymous Coward on Wednesday April 08 2020, @09:14PM
No problem, Google Play store is an unauthorized third party store on my phone.
(Score: 0) by Anonymous Coward on Wednesday April 08 2020, @09:55PM (1 child)
I only run Windows 10... you can unplug the computer to kill it.
(Score: 3, Funny) by DannyB on Wednesday April 08 2020, @10:00PM
Windows is shutting
updown.The lower I set my standards the more accomplishments I have.
(Score: 3, Insightful) by Anonymous Coward on Wednesday April 08 2020, @10:30PM (2 children)
What a pity it is, then, that phone manufacturers, in their ever-enduring quest to wrench away control and ownership of the phone from those who paid for them, have made it damn near impossible to reinstall the phone OS from scratch outside of a "factory reset." A factory reset that relies on archives of the software that are kept on a partition of the phone's main flash chip. A partition on the chip that, at the end of the day, is just as changeable as the rest of the chip, whether it's storing your latest tech message, or the most important code on the phone.
So, for a lot of users, you'd need either expensive, factory-level tools, or to hack the phone so you can bypass the lockouts. A very ironic situation where recovering from a failure in security requires you to have avoided patching yourself to death with whatever controlling updates the company tried to ram down your throat.
Of course, all of this is one of major advantage to PCs, which can have separate installation media if you bought it or bothered to make it when you got the machine. Although Big Tech is doing their best to try to erode that away, as well, and have done a wonderful job of making sure that PCs have firmware that's similarly hackable, even if it isn't too common to see that in practice at the moment.
(Score: 0) by Anonymous Coward on Thursday April 09 2020, @12:20AM
Pass a law requiring phone manufactures to make the tools available to the public to backup, restore and modify their device using a PC?
(Score: 4, Interesting) by TheReaperD on Thursday April 09 2020, @04:19AM
I remember a technology preview given by Intel for their "new" remote management tools (don't remember the marketing speak for the name at the time) that were going to be baked right into the CPU. I asked about security implications at the time. They didn't answer my question and my name was suspiciously absent from the guest list the next conference whereas my coworker's name was still on it. Low and behold, the system is getting pwned left and right now and Intel is having to gut their CPU performance to try and combat the problem with only limited success.
Ad eundum quo nemo ante iit
(Score: 3, Funny) by The Mighty Buzzard on Wednesday April 08 2020, @10:45PM (6 children)
They obviously don't have near as many hand tools as I do. The vast majority of them are easily capable of ensuring the malware will never run on that phone again. There are some minor side effects to this approach though.
My rights don't end where your fear begins.
(Score: 1, Touché) by Anonymous Coward on Wednesday April 08 2020, @11:00PM (3 children)
"They obviously don't have near as many hand tools as I do. The vast majority of them are easily capable of ensuring the malware will never run on that phone again. There are some minor side effects to this approach though."
I see. So, in other words, it's necessary to kill the patient in order to save the patient? But I wouldn't exactly call it a "minor side effect" though.
(Score: 0) by Anonymous Coward on Wednesday April 08 2020, @11:10PM (1 child)
Just to add, I wouldn't call it a "feature", either.
(Score: 2) by The Mighty Buzzard on Thursday April 09 2020, @12:32PM
Have you never smashed the complete shit out of something that got on your last nerve? It's a feature [youtube.com].
My rights don't end where your fear begins.
(Score: 2) by Kitsune008 on Wednesday April 08 2020, @11:39PM
Save the patient?!?
I see your problem.
The phone is a tool. When it malfunctions, repair it, if it can't be repaired(or is not worth the effort...YMMV), then discard/destroy it.
It's only a tool of convenience, you are not it's slave.
BTW, they make pretty colors in my forge. :-)
(Score: 0) by Anonymous Coward on Thursday April 09 2020, @12:35AM (1 child)
The operation was a success, but the patient died. Sounds about right.
(Score: 2) by Runaway1956 on Thursday April 09 2020, @01:19AM
The patient stopped making his insurance payments, so of course he died.
(Score: 5, Insightful) by istartedi on Wednesday April 08 2020, @10:58PM (5 children)
Remember ROMs and little DIP switches that toggled read/write and were impossible to change unless you actually had physical access to the device? Now get off my lawn!
Appended to the end of comments you post. Max: 120 chars.
(Score: 4, Insightful) by RS3 on Thursday April 09 2020, @01:43AM
Absolutely. How about all FLASH storage on a phone is removable, like micro-SD.
Many malware infect system files, but after OS boots- loading infected file- the malware hides its file somewhere and copies in a good version of OS system file. The only way I know of to fix it is don't boot that drive- plug it in as a secondary non-booting drive and scan it. Can't do that with a phone (or any laptop with soldered-in FLASH drives...)
(Score: 3, Insightful) by Anonymous Coward on Thursday April 09 2020, @02:25AM (3 children)
Do you remember the days when in order to flash a BIOS you needed a physical disk in the drive and possibly a dip switch flick?
Remember how difficult it used to be? Then recall the day Microsoft, in their Almighty Wisdom decided to bridge the gap so the machine OS could flash the BIOS.
Then we had BIOS hacks from the OS.
Later they said "BIOS is not secure! This new EFI will fix that! Trust us!"
You could almost think it was planned.
(Score: 3, Informative) by anubi on Thursday April 09 2020, @03:07AM
In my day, one had to physically remove the bios chips ( usually two of em...low and high byte ), erase them under ultraviolet light, confirm they were now blank, now program the new code with special hardware ( eprom programmer ), and reinstall.
The absolute worst anyone could do was force me to wipe the drive and restore from backup... Which I did numerous times.
I knew good and well the position Microsoft was putting us all in.
I wasn't ranked high enough in the corporation to be taken seriously. They bought into it anyway. It is now far beyond my ability to keep it flying.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Interesting) by istartedi on Thursday April 09 2020, @07:22AM (1 child)
And the only reason you ever flipped those DIP switches to flash your BIOS was because somebody royally f***ed up. I had plenty of PCs where there was never any reason to flash the BIOS. It is the Basic Input/Output System, after all. If they couldn't get that right, what made them think they could do anything more advanced?
Appended to the end of comments you post. Max: 120 chars.
(Score: 3, Insightful) by RS3 on Friday April 10 2020, @12:50AM
I wish I could clone myself and those clones would correct all of this type of thinking and argument around the Internet. (Clone thought inspired by last few days' "Dilbert"...) You're making the all-too-common all-or-nothing sweeping generalization.
BIOS flash is not always because "somebody royally f***ed up".
Long ago motherboards had switches and/or jumpers to select clock speeds, clock multipliers, Vcore CPU voltages, etc. Then chipsets + BIOS started auto-sensing the CPU and programmed the correct voltages, speeds, and other CPU-specific parameters. But the motherboard's BIOS made in 2002 wasn't able to predict that Intel would release faster CPUs 6 years later. They didn't exist yet, nor their parameters. I've done many BIOS updates for that very reason.
You can certainly make a good argument that software generally is crap and we're all beta testers. Sadly, most of the world accepts some kind of software update is normal everyday life. As such, I don't know how to fix it, but I'm glad for updates and patches.
(Score: 4, Insightful) by Runaway1956 on Thursday April 09 2020, @01:17AM (4 children)
Open source, Linux, yada yada yada. Except, it isn't. Imagine if you purchased a desktop, a server, or a laptop, with some Unix-like preinstalled, and you couldn't switch to another OS, you can't install or uninstall anything. And, you can only grab updates (if any) from the vendor's own site.
That ain't Linux, and that ain't open source.
Blame Google, blame the manufacturers, blame the telcos. They are all party to the current situation, where the end purchaser doesn't really own his phone.
(Score: 1, Insightful) by Anonymous Coward on Thursday April 09 2020, @02:27AM (3 children)
I love all the posts and sites that say "just root your device".
Can you afford to brick a computer worth hundreds? I don't know about anyone else, but my other half would be pissed.
(Score: 2) by Runaway1956 on Thursday April 09 2020, @05:26AM (1 child)
Exactly. I do crazy stuff with my own hardware, but it's "hands off" of the wife's stuff. Yeah, it's actually pretty easy to root a phone - except if you screw it up. And, I've actually screwed it up. So, to preserve peace in the family, I don't mess with her stuff.
(Score: 2) by sjames on Thursday April 09 2020, @12:35PM
That's the thing with smartphones, they make them such that you can really brick it. It's hard to brick a PC without opening it up and physically manipulating the hardware in bad ways. You might wipe all your data, it might not even boot, but given an install disk, the PC itself isn't bricked.
There are even mainboards with two copies of the BIOS so you can recover if you mess one up, then flash the corrupted image back to factory and safely try again.
(Score: 0) by Anonymous Coward on Thursday April 09 2020, @02:19PM
TWRP [twrp.me]
NANDROID Backup [gadgethacks.com]
Custom Roms [xda-developers.com]
And you're welcome.
(Score: 0) by Anonymous Coward on Thursday April 09 2020, @09:30AM (2 children)
So, it looks like the single difference between this and any of pre-installed social media / web services "apps" on phones is that this malware does not show license agreement which you have to nevertheless accept or you will not be able to use the phone.
(Score: 2) by PiMuNu on Thursday April 09 2020, @01:15PM (1 child)
I know android bashing is fun, but it is at least possible to uninstall most of the junk that comes preinstalled and disable the rest (i.e. tell the OS not to run it). Also, one can disable access to various phone features; for example I use google maps for satnav and disable access to location data the rest of the time.
(Score: 0) by Anonymous Coward on Thursday April 09 2020, @01:19PM
Disable Google maps when you are not using it. This program can turn GPS on by itself, user settings be damned.