xHelper, an Android malware which automatically re-installs after data reset

XHelper, a new variation of malware that re-installs itself on affected devices after its deleted or hard reset wiping all data and programs.

xhelper android malware

XHelper is a malware that was detected in October 2019 by Symantec experts; it’s a persistent and stubborn piece of malware automatically re-installs despite numerous actions of un-installing it.

Within just six months, the malware had infected more than 45,000 Android-based devices, and it continued spreading at an alarming rate. At the time, according to Symantec estimates, the unkillable malware was infecting at least 2,400 devices monthly, mainly in Russia, India, and the United States.

Security experts at Kaspersky provided deeper insights shedding more light on its persistence mechanism and capabilities used by destructive malware. The experts provided tips and tricks on how you can permanently remove the malware file form your device.

In terms of distribution, the malware is touted as a speed optimization and cleaner up for your mobile devices. Russia, India, and Algeria account for most infections accounting for (80.56%), (3.43%), and (2.43%), respectively.

Once you’ve installed on your device, the malware will disappear but will still be visible as it monitors your installed apps in your system settings. Upon successful installation, the malware registers itself as a foreground service extracting encrypted payloads whose sole purpose is collecting information from the user’s device and transmit it to servers controlled by the attackers.

At this particular phase, the decryption of dropper tracked Trojan-Dropper.AndroidOS.Helper.b, executing Trojan-Downloader.AndroidOS.Leech.p malware that downloads Trojan-Downloader.AndroidOS.Leech.p malware that will exploit weakness and obtain root access to your mobile device.

‘The malicious file is stored in your data folder which other programs don’t have access to. This malware touted as security solutions gain root access and directly installs these files on system partition’. The malicious files mainly affect China Made Phones and devices which run on Android version 6 and 7.

After installation, the malware executes commands from C2 and exploits the use of an SSL certificate that pins it providing a secure channel of communication.

‘Its important to factor in that the firmware of other phones comes with pre-installed malware that will download and install these programs independent such as xHelper. In such a case, flashing your device would be futile, and you should try considering other firmware for your phones. For those who use different firmware, note that some of its components will not operate correctly’ Note Kaspersky.

‘The programs install a backdoor giving it complete control to execute commands acting as superuser providing the hackers with complete to your application data that can be exploited by other malware.

xHelper will assign immutable attributes in the targeted folders making it extremely difficult to remove the malware from your device as ‘the device system does not permit superuser to delete files with this particular type of attribute.’

Experts have also noted that XHelper also modifies your devices’ system library (libc.so), preventing users from re-mounting their system partitions while in write mode making the malware virtually unkillable.

Changing the modified “libc.so” by using the original Android firmware could give you the ability to re-enable the partition mount system in write mode while also uninstalling the malware from your phone.

You might be interested:
How to Hack WiFi Password from Android Smartphone

In conclusion, Kaspersky stated, ‘If you’ve set up a recovery mode in your phones, you can extract libc.so file from original firmware and do a replacement with infected file, before you remove all malware files from the partition system. But, re-flashing your device is much more reliable and simpler.’

Leave a Reply

Your email address will not be published.

* Important: All comments and links are manually reviewed before approval.