xHelper, the Malware that cannot be Eliminated from Android Devices

The company specialized in informatics security, Symantec, published a report detailing xHelper, a malware that affected almost 45,000 Android devices around the world in a few month. Its main characteristics is its extreme persistence, since it has the capacity to automatically reinstall itself, even after formatting the device.

 

“This is the second threat directed to Android which it was reported in October and, although its extension is limited to only a few tens of thousands devices, its drawing attention due to the techniques used by hackers to ensure this malicious software can fulfill its role no matter the actions of the user”, said Symantec.

 

xHelper is considered an Advanced Persistent Threat (APT). It is capable to remain in the mobile devices after eliminating the app, even after rebooting it, according the report from Symantec.

 

The reported case of xHelper dates from March this year, almost eight month ago. Its expansion has been slow so far, but with a steady pace of 131 daily infections, which supposes a peak that can reach 2,400 infected cell phones every month. As a matter of fact, in August the number of infections was

32,000, while in October it reached 45,000.

 

The app targets specific brands of cell phones with Android software in USA, Russia and India. The Android users reported this malware, which does not appear in app list, and it causes a display of ads on the screen. Despite being uninstalled, it reinstall itself, said Symantec. xHelper does not appear on the app list because it is component from an app, and it makes it easier for the malware to harm the device without being noticed.

 

Its origin has not been tracked, but the company has pointed out that it can be found in modified apps, which can be downloaded by user from unknown sources. According to Malwarebytes, another specialized company in the same themes, its origin can be traced on the game sites that encourage players to download apps from non-reliable sources.

 

 

The malware activates through an external event, such as when the device connects or disconnects from a power source, when install or uninstalls an app, and even the cell phones is formatted. The virus works on the background so it avoids the battery saver, and it is programmed to restart automatically if it is stopped.

 

Once it accessed the device, this virus loads a malicious code in the memory and connects the device to the server of the hackers, from that it spreads various malicious programs to steal data or even controlling the device. Other users have been affected by ads malwares.

 

The malicious loads that installs xHelper connects to a server of command and control to wait for more requests. The communication also hides itself from the user and its security software while using the SSL certificate to avoid being intercepted. These “additional orders” include the delivery of additional loads of malwares and rootkits to enable full control of the infected device.

 

Why Reseting from Factory Setting does not Work?

 

 

The greatest question, in terms of security, is: how any malware can survive after resetting from factory? Unless it was a part of the Smartphone’s firmware, resetting from factory would eliminate it.

 

Symantec’s report seems to eliminate this possibility; it stated: “we believe is not likely that xHelper is preinstalled on the devices, since these apps give no indication of being apps related to the system.”

 

La explicación más probable dada en el informe es que otra aplicación separada está descargando persistentemente el malware.

 

May Ying Tee, software engineer from Symantec, and one of the report’s author, stated that: “technically, the malware does not survive resetting from factory.”  Instead, Ying Tee says: “we believe it might have been eliminated and then reinstalled by some other malware, thus giving the impression of surviving the factory resetting.”

 

The only way to get rid of the malware is to clean the mobile device fully; however, to do so you must have rooted the device, or there will not be any way to eliminate the intruder.

 

It is important to highlight that rooting is a process by which the operative system of the device is modified with the idea of having full control of it, and to go over any kind of limitations the fabricant might have set; is even possible to extend its functionalities.

 

Regarding the why xHelper can resist factory resetting, there is still no explanation; therefore, is necessary to wait until the antivirus has the capacity to get rid of it.

 

Nevertheless, cyber security companies have noticed the evolution of this malicious code with some additions done to the code. As a matter of fact, among those recent changes, there were references to Jio, India’s biggest 4G network, and, according to Symantec, may indicate a possible attack to th the users of this network.

 

 

So far, the argument to calm Android users down is that the malware is not hosted in any of the apps from the Play Store, which is why, if people download all their apps from Google’s official store, they will not have issues with this Trojan.

 

On the other hand, John Opdenakker, an ethical hacker, says “these are bad security practices that get the users into trouble.” Usually, people reinstall the same apps they had before the factory resetting, including those from different sources of that of Google Play, and, for that reason, the malware may be reinstalled on the Smartphone.

 

“This reinforces the risk of installing apps from outside the official app stores”, said the app security specialist, Sean Wright. “My recommendation is to install app only from the official app stores, unless you know for sure the how safe the app is.”

 

Of course, malicious apps can also be found on the Play Store, but the chances of installing a malicious app are reduced. However, this is the best advice we can give thus far. Symantec researchers believe the malware code is still a work in progress, and there are still many more tricks to be discovered.

Comments are closed.