The secret behind "unkillable" Android backdoor called xHelper has been revealed:
In February, a researcher detailed a widely circulating Android backdoor that's so pernicious that it survives factory resets, a trait that makes the malware impossible to remove without taking unusual measures.
The analysis found that the unusual persistence was the result of rogue folders containing a trojan installer, neither of which was removed by a reset. The trojan dropper would then reinstall the backdoor in the event of a reset. Despite those insights, the researcher still didn't know precisely how that happened. Now, a different researcher has filled in the missing pieces. More about that later. First, a brief summary of xHelper.
The malicious Android app poses as a performance enhancer that removes old and unneeded files. Antivirus provider Malwarebytes has detected it on 33,000 devices, mainly located in the United States, while AV from Russia-based Kaspersky Lab found it on 50,000 devices. There's no evidence xHelper has ever been distributed through Google Play.
Once installed, xHelper installs a backdoor that remotely installs apps downloaded from an attacker-controlled server. It also executes commands as a superuser, a powerful privilege setting that gives the malware unfettered system rights. Besides that, the backdoor has access to sensitive data, including browser cookies used to sign in to sites automatically. Once the backdoor is installed, the fake cleaner app disappears from the main screen and program menu and can only be viewed by inspecting the list of installed apps in the system settings.
Previously:
Android Users Hit With 'Unkillable Malware'
Related Stories
Arthur T Knackerbracket has found the following story:
An Android malware package likened to a Russian matryoshka nesting doll has security researchers raising the alarm, since it appears it's almost impossible to get rid of.
Known as xHelper, the malware has been spreading mainly in Russia, Europe, and Southwest Asia on Android 6 and 7 devices (which while old and out of date, make up around 15 per cent of the current user base) for the past year from unofficial app stores. Once on a gizmo, it opens a backdoor, allowing miscreants to spy on owners, steal their data, and cause mischief.
It has only recently been picked apart by Kaspersky Lab bods, and what makes the malware particularly nasty, the researchers say, is how it operates on multiple layers on the tablets and handsets it infects.
"The main feature of xHelper is entrenchment," explained Igor Golovin on Tuesday. "Once it gets into the phone, it somehow remains there even after the user deletes it and restores the factory settings."
[...] The best thing to do, though, is go a step further than a factory reset, and erase the flash memory completely, including the system partition, and put in a fresh clean copy. "If you have Recovery mode set up on your Android smartphone," said Golovin, "you can try to extract the libc.so file from the original firmware and replace the infected one with it, before removing all malware from the system partition. However, it’s simpler and more reliable to completely reflash the phone."
Even better advice is to avoid downloading any suspicious apps from the Google Play Store, just to be safe, and definitely don't use unauthorized third-party stores at all.
(Score: 3, Insightful) by Anonymous Coward on Friday April 17 2020, @02:25AM
It doesn't say why the backdoor survived the reset. It says that it installs a backdoor, but no useful insight provided.
(Score: 0) by Anonymous Coward on Friday April 17 2020, @02:55AM
Mysterious origins
While the exact origins of xHelper is being actively investigated, Symantec suspects two different possibilities: a rogue app laced with the malware is possibly being downloaded by users from unknown sources, or a malicious system app that’s persistently downloading the malware despite users performing factory resets and manually uninstalling it.
MalwareBytes researchers, on the other hand, believe it’s being spread via shady game websites that trick unsuspecting users into downloading apps from untrusted third-party sources.
Aside from operating silently in the background, xHelper takes its stealth behavior to new heights by not creating an app icon or a shortcut icon on the home screen launcher. The only indicator is a listing in the app info section of the infected phone’s settings.
The lack of an app icon means the malware cannot be launched manually. But to get around the problem, it relies on external triggers — like connecting or disconnecting the infected device from a power supply, rebooting a device, or installing or uninstalling an app — to run itself as a foreground service that minimizes the chance of getting killed.
https://thenextweb.com/security/2019/10/30/45000-android-devices-infected-by-new-unremovable-xhelper-malware/ [thenextweb.com]
(Score: 2, Informative) by anubi on Friday April 17 2020, @03:26AM (1 child)
Open your file manager and search for "mufc", ( without the quotes).
The above is in the linked article...my post is just a TLDR.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Informative) by anubi on Friday April 17 2020, @03:36AM
Some more...
"Hidden inside a directory named com.mufc.umbtts was an Android application package, or APK, that dropped an xHelper variant. The variant, in turn, dropped more malware within seconds."
Apparently, she was able to rid herself of this nuisance by deleting the folders...
I guess it goes without saying to stay offline until you clean up the mess.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Friday April 17 2020, @06:44PM (1 child)
All the cool people have them. Gotta keep those secret backups synced with the lizards.
(Score: 0) by Anonymous Coward on Friday April 17 2020, @10:21PM
WHY IS SPOT UNDER THE BED?
(Score: 0) by Anonymous Coward on Friday April 17 2020, @09:28PM
I figured it would be in the bootloader, or at least hidden in a kernel module. In reality it's pretty standard rootkit stuff that might have been state of the art 20 years ago in the server world. The only thing about it that's really interesting is that it works on the Android system partition (which is also why it survives a factory reset - that assumes the system partition is safe). Even that isn't all that interesting, though. Modifying the system partition is standard stuff in the android rooting world.