Pierluigi Paganini October 30, 2019

A new piece of malware dubbed Xhelper has infected more than 45,000 Android devices in just the last six months and is continuing to spread.

The campaign began months ago, a new piece of malware dubbed Xhelper has infected more than 45,000 Android devices in just six months and is continuing to spread at a fast space.

Malware researchers at Symantec estimated that the Xhelper malware is infecting at least 2,400 devices on an average each month, mainly in India, U.S., and Russia.

Xhelper is a persistent Android dropper app that is able to reinstall itself even after users attempt to uninstall it.

“Symantec has observed a surge in detections for a malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements.” reads the analysis published by Symantec. “The app, called Xhelper, is persistent. It is able reinstall itself after users uninstall it and is designed to stay hidden by not appearing on the system’s launcher. The app has infected over 45,000 devices in the past six months.”

The experts observed several users posting about Xhelper on online forums, as a result of the infection, the users are complaining of random pop-up advertisements.

Android users reported that despite they have rebooted their devices and also wiped them, the Xhelper is always there.

Xhelper is an application component that is not listed in the device’s application launcher, the malicious app is launched by external events (i.e. when the compromised device is connected to or disconnected from a power supply, the device is rebooted, or an app is installed or uninstalled).

Upon execution, the malware will register itself as a foreground service, once it has gained a foothold on the device, it will execute its core malicious functionality by decrypting to memory the malicious payload embedded in its package. The malware then connects to the C&C server and waits for commands, experts noticed that the malware encrypts communications and implements certificate pinning to prevent MiTM attacks.

“Upon successful connection to the C&C server, additional payloads such as droppers, clickers, and rootkits, may be downloaded to the compromised device.” continues the report. “We believe the pool of malware stored on the C&C server to be vast and varied in functionality, giving the attacker multiple options, including data theft or even complete takeover of the device.”

Security experts suspect the malicious code is included in a system app pre-installed on the Android devices of certain phone brands.

Researchers pointed out that the sample they have analyzed were not available on the Google Play Store

“From our telemetry, we have seen these apps installed more frequently on certain phone brands, which leads us to believe that the attackers may be focusing on specific brands.” continues the analysis.

Of course, we cannot exclude that the Xhelper malware is being spread by download apps from untrusted third-party sources.

Symantec believes that the malware’s source code is still a work in progress due to the presence in the source code of classes and constant variables that have yet to be implemented.

Researchers advise users to take the following precautions:

• Keep your software up to date.
• Do not download apps from unfamiliar sites.
• Only install apps from trusted sources.
• Pay close attention to the permissions requested by apps.
• Install a suitable mobile security app, such as Norton or Symantec Endpoint Protection Mobile, to protect your device and data.
• Make frequent backups of important data.

Pierluigi Paganini

(SecurityAffairs – Xhelper, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]