The emergence of a new Android malware, known as xHelper, has caught the attention of digital forensics experts and antivirus firms due to a dangerous mechanism that allows it to reinstall itself on the infected device, making it almost impossible to remove.
The first reports of xHelper infections were
filed in March, starting with a few hundred devices, although it is now
estimated that the number of infected smartphones exceeds 45k Android
smartphones. In addition, a report from security firm Symantec mentions that
more than 120 new devices are infected daily.
Regarding the attack vector, digital forensics
experts mention that malware operators manage to infect devices by redirecting victims
to websites that offer third-party apps and that are not found in the Play
Store. The code in these apps downloads the xHelper Trojan.
While this malware does not focus on data
destruction or theft, researchers who have analyzed it conclude that the Trojan
is capable of displaying pop-up ads and spam notifications in an intrusive and
persistent manner. These ads and notifications invite victims to install other
third-party apps, so it’s likely that xHelper operators will earn revenue for
each installation of the promoted apps.
The behavior of xHelper has impressed the
researchers, as they discovered that, unlike other variants of mobile operating
system malware, xHelper is able to install itself as a standalone service after
the installation of the app where it is content. “Due to this feature,
uninstalling the initial app will not remove this malware from the infected
device”, the experts added.
Another intriguing feature of this malware is
its ability to reinstall itself: “Even if users manage to detect the
xHelper service in operating system apps, it is not possible to remove it
conventionally. If removed, xHelper reappears on the OS a few minutes later,
regardless of whether the user has performed a factory reset,” the digital
forensics experts mention. This malware is even able to activate the ‘Install
apps from unknown sources’ option by itself.
Although some users have managed to permanently
remove this malware using paid antivirus tools, apparently this is not a
functional option for all xHelper victims. International Institute of Cyber
Security (IICS) digital forensics experts mention that this is due to the
constant evolution of malware, as operators keep sending xHelper code updates.
The danger does not end there, as the antivirus
firms that have analyzed this malware consider it likely that the operators
will include new and more risky features, such as installing other malicious
apps, ransomware infections, data theft malware, botnet code and more. Users
concerned about the security of their mobile devices can check the running
services of their OS and, in case of finding signs of infection, look for the
best option to remove xHelper permanently.