Xhelper malware continues to infect Android devices. Moreover, the Xhelper Trojan remains on the device even after deleting or completely resetting device to factory settings.
According to Nathan Collier, Senior Malware Intelligence Analyst, Xhelper’s behavior is ushering in a new era of mobile malware. The possibility of reinfection using a hidden directory containing an APK that could evade detection is really scary.
“This is by far the nastiest infection I have encountered as a mobile malware researcher. Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware”, — says Nathan Collier.
Researchers first discovered Xhelper in March 2019. At that time, the functionality of malware was relatively simple, and its main function were monetizing visits to advertising pages. However, this did not stop the malware from entering the TOP 2019 threats.
Since then, most security applications for Android devices have added xHelper detection, but it turned out that getting rid of malware is not as simple.
According to experts from Malwabytes, xHelper is not distributed as part of the pre-installed malware contained in the firmware, but uses the Google Play store to re-infect after a complete reboot of the device or cleaning with antivirus software.
“We have seen important pre-installed system apps infected with malware in the past. But Google PLAY itself!? After further analysis, we determined that, no, Google PLAY was not infected with malware. However, something within Google PLAY was triggering the re-infection—perhaps something that was sitting in storage. Furthermore, that something could also be using Google PLAY as a smokescreen, falsifying it as the source of malware installation when in reality, it was coming from someplace else”, — explain Malwabytes specialists.
According to experts, the malware makes believe that Google Play is a source of infection, while in fact the installation is carried out from another place.
While analyzing files stored on one of the victims’ compromised Android smartphones, it was discovered that the Trojan downloader was embedded in the APK located in the com.mufc.umbtts directory.
Experts have not yet been able to figure what is the Google Play role in process of infecting.
“Here’s the confusing part: Nowhere on the device does it appear that Trojan.Dropper.xHelper.VRW is installed. It is our belief that it installed, ran, and uninstalled again within seconds to evade detection—all by something triggered from Google PLAY. The “how” behind this is still unknown. It’s important to realize that unlike apps, directories and files remain on the Android mobile device even after a factory reset. Therefore, until the directories and files are removed, the device will keep getting infected”, — write the researchers.
Users are advised to turn off the Google Play store, and then start scanning the device with an antivirus program. Otherwise, malware will continue to return despite removing it from the device.