Cybersecurity experts found a solution for the unremovable xHelper malware that manages to re-install itself even after users delete it or factory-reset the infected devices, making it almost impossible to destroy.
The malware was first spotted back in March 2019, and by August, it managed to infect more than 32,000 devices. It was reported in October that it had infected over 45,000 android devices.
The xHelper has the ability to gain full access over a device, including access to all app data, and executing commands as a superuser.
Cybersecurity researchers have been trying to discover how the malware survives deletion and factory-reset, but now Igor Golovin, cybersecurity analyst at Kaspersky, unveiled the mystery of the xHelper malware.
How the xHelper malware operates
The currently active sample of xHelper, Trojan-Dropper.AndroidOS.Helper.h, disguises itself as a popular cleaner and speed-up app for smartphones. However, it disappears from the main screen and app menu once installed. It is only visible through examining the list of installed apps in the system settings.
Once installed, the malware payload’s task is collecting victims’ device information and sending it to the operators’ web server. The malware then downloads a malicious Trojan dropper, which downloads another dropper named “helper”. “helper” downloads yet another dropper called “leech” and eventually leech delivers the Triada Trojan. Kaspersky describes this “dropper within a dropper” pattern as a “matryoshka-style scheme”.
matryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are known to security solutions.
Reads the blog post published by Kaspersky.
The malware then gains rooting privileges and administrative access to the Android operating system.
The malware can gain root access mainly on devices running Android versions 6 and 7 from Chinese manufacturers (including ODMs). After obtaining privileges, xHelper can install malicious files directly in the system partition.
How to permanently delete xHelper
The malware remounts system partition in write mode in order to copy itself there. To prevent deletion, the malware modifies the system library, therefore the user will not be able to mount the system partition in write mode.
To permanently remove the malware, users can replace the infected library with the one from the original firmware; however, instead of doing such a difficult task, users can simply reflash their infected devices. Kaspersky expert explains:
But if you have Recovery mode set up on your Android smartphone, you can try to extract the libc.so file from the original firmware and replace the infected one with it, before removing all malware from the system partition. However, it’s simpler and more reliable to completely reflash the phone.
Secure Your Organization’s Mind with Securemind.se