Today cybersecurity researchers reported a serious incident that has been constantly monitored this year, it seems that hundreds of thousands of Android users have been infected by a new piece of mysterious malware that hides and if it is deleted it can reinstall itself. Even worse is the fact that after the victim dose a full factory reset on the infected device the malware reinstalls there too.
This new piece of malware is known as Xhelper, at this point, his infection has reached 50,000 Android devices in just the last six months and is continuing to spread by infecting at least 4000 devices every month.
Xhelper Android malware capabilities:
It can regularly reinstall itself, almost every day after deletion
sets all install apps from unknown sources’ settings to on
reinstalls itself after restoring the device
It is pre-installed on phones that come from China
Origins of Xhelper Android Malware:
Sadly, for the moment cybersecurity experts did not find the exact place of birth of Xhelper malware comes, but they suspect that a malicious system app pre-installed on Android devices from certain brands downloaded the malware.
During a malware analysis done on Xhelper it was found that none of the samples available on the Google Play Store, which makes them think that it is possible that users got the Xhelper malware downloaded from unknown sources.
The above-presented conclusion is not the only one because Xhelper was found re-installing itself more frequently on certain phone brands, which leads researchers to believe that the hackers are targeting specific brands. In this case, it makes sense to think that Xhelper malware is being spread by web redirects or other shady websites that prompt users to download apps from untrusted third-party sources.
Xhelper Malware Modus-Operandi:
After the infection is complete Xhelper doesn’t show a regular user interface; instead, it gets installed as an application component that doesn’t show up on the device’s application launcher in an attempt to remain hidden from the users.
Xhelper then launches himself via some external events triggered by users, like connecting or disconnecting the infected device from a power supply, rebooting a device, or installing or uninstalling an app.
The malware behavior stars by contacting its remote command-and-control server over an encrypted channel and downloads additional payloads such as droppers, clickers, and rootkits on the compromised Android devices.
The most outrageous thing discovered about this control and command server is that the server is a pool of malware that has vast and varied in functionality, giving the hacker behind it multiple options, including data theft or even complete takeover of the device
The Xhelper malware has been targeting Android smartphone users primarily in India, the United States, and Russia.
How to stay safe:
keep your device and apps up-to-date
avoid app downloads from unknown sources
never give full permissions to shady apps
frequently back up data