

New 'unremovable' xHelper malware has infected 45,000 Android devices | ZDNet
source link: https://www.zdnet.com/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

New 'unremovable' xHelper malware has infected 45,000 Android devices
By Catalin Cimpanu for Zero Day | October 29, 2019 -- 16:05 GMT (00:05 GMT+08:00) | Topic: Security

Over the past six months, a new Android malware strain has made a name for itself after popping up on the radar of several antivirus companies, and annoying users thanks to a self-reinstall mechanism that has made it near impossible to remove.
Named xHelper, this malware was first spotted back in March but slowly expanded to infect more than 32,000 devices by August (per Malwarebytes), eventually reaching a total of 45,000 infections this month (per Symantec).
The malware is on a clear upward trajectory. Symantec says the xHelper crew is making on average 131 new victims per day and around 2,400 new victims per month. Most of these infections have been spotted in India, the US, and Russia.
Installed via third-party apps
According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.
The good news is that the trojan doesn't carry out destructive operations. According to both Malwarebytes and Symantec, for most of its operational lifespan, the trojan has shown intrusive popup ads and notification spam. The ads and notifications redirect users to the Play Store, where victims are asked to install other apps -- a means through which the xHelper gang is making money from pay-per-install commissions.
Image: Malwarebytes
But the thing that's most "interesting" is that xHelper doesn't work like most other Android malware. Once the trojan gains access to an Android device via an initial app, xHelper installs itself as a separate self-standing service.
Uninstalling the original app won't remove xHelper, and the trojan will continue to live on users' devices, continuing to show popups and notification spam.
"Unremovable"
Furthermore, even if users spot the xHelper service in the Android operating system's Apps section, removing it doesn't work, as the trojan reinstalls itself every time, even after users perform a factory reset of the entire device.
How xHelper survives factory resets is still a mystery; however, both Malwarebytes and Symantec said xHelper doesn't tamper with system services system apps. In addition, Symantec also said that it was "unlikely that Xhelper comes preinstalled on devices."
Image: Malwarebytes
In some cases, users said that even when they removed the xHelper service and then disabled the "Install apps from unknown sources" option, the setting kept turning itself back on, and the device was reinfected in a matter of minutes after being cleaned.
Over the past few months, many users have complained about xHelper's near "unremovable" state, on sites like Reddit, Google Play Help [1, 2], or other tech support forums.
Image: ZDNet
Some users reported having success with some paid versions of mobile antivirus solutions, but others did not.
In a blog post published today, Symantec said the trojan is in a constant evolution, with new code updates being shipped out on a regular basis, explaining why some antivirus solutions manage to remove xHelper in some instances, but not later versions.
There appears to be a battle between the xHelper crew and mobile antivirus solutions, with each one trying to get the better of the other.
Of note is that both Symantec and Malwarebytes have also put out a warning regarding xHelper's features. While the trojan is currently engaging in spam and ad revenue, it also possesses other, more dangerous features. Both companies said xHelper can download and install other apps, a function that the xHelper crew could use at any point to deploy second-stage malware payloads, such as ransomware, banking trojans, DDoS bots, or password stealers.
Recommend
-
18
-
6
SURPRISE — Up to 3 million devices infected by malware-laced Chrome and Edge add-ons Security firm identifies 28 malicious extensions hosted by Google and Microsoft. ...
-
10
Google took down the applications containing Joker For the past three years, Google Play Store has been home to the infamous "Joker" spyware. A recent
-
10
New Android Trojan malware has infected more than 10 million Android devices GriftHorse campaign operators made tens of millions of dollars from their victims By...
-
5
POISONING THE WELL — Hackers can infect >100 Lenovo models with unremovable malware. Are you patched? Exploiting critical UEFI vulnerabilities could allow malware to hide i...
-
14
Hackers Can Infect Over 100 Lenovo Models With Unremovable Malware Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!...
-
7
SWISS ARMY KNIFE — Never-before-seen malware has infected hundreds of Linux and Windows devices Small office routers? FreeBSD machines? Enterprise servers? Chaos infects th...
-
5
Home News Facebook credentials stealing malware has infected 300,000 Android devices...
-
5
Watch Out For These Malware-Infected Android TV Boxes
-
6
News Over 60,000 Android apps infected with adware-pushing malware While currentl...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK