xHelper, The Unkillable Android Malware That Re-Installs After Factory Reset
April 8, 2020 Share

xHelper, The Unkillable Android Malware That Re-Installs After Factory Reset

xHelper, a new strain of Android malware is able to re-install itself on infected devices even after victims delete it or force a factory reset.

xHelper is a piece of malware that was first spotted in October 2019 by experts from security firm Symantec, it is a persistent Android dropper app that is able to reinstall itself even after users attempt to uninstall it.

The campaign began months before, the malware infected more than 45,000 Android devices in just six months and continuing to spread at a fast space.

At the time, Symantec estimated that the Xhelper malware was infecting at least 2,400 devices on an average each month, mainly in India, U.S., and Russia.

Now security experts from Kaspersky Lab have provided technical details about the malware shedding lights on its capabilities and the persistence mechanism implemented by the malicious code.

The researchers also provided information on how to remove xHelper from an infected device.

The malware is distributed as a popular cleaner and speed optimization app for mobile devices, most of the infections reported by Kaspersky are in Russia (80.56%), India (3.43%), and Algeria (2.43%).


Once installed on the mobile device, the “cleaner” disappears and remains visible only by inspecting the list of installed apps in the system settings.

Upon the installation, the malicious app registers itself as a foreground service and extracts an encrypted payload that gathers information about the victim’s device (android_id, manufacturer, model, firmware version, etc.) and sends it to a server under the control of the attackers (https://lp.cooktracking[.]com/v1/ls/get).

At this stage, a dropper tracked Trojan-Dropper.AndroidOS.Helper.b, is decrypted and launched, then it executes the Trojan-Downloader.AndroidOS.Leech.p malware that downloads the well known HEUR:Trojan.AndroidOS.Triada.dd with a set of exploits and attempts to obtain root privileges on the victim’s device.

“Malicious files are stored sequentially in the app’s data folder, which other programs do not have access to. This matryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are known to security solutions.” continues the report. “The malware can gain root access mainly on devices running Android versions 6 and 7 from Chinese manufacturers (including ODMs). After obtaining privileges, xHelper can install malicious files directly in the system partition.”

The malicious code mounts a system partition at system startup in read-only mode. Leveraging the root privileged, it remounts the partition in write mode and proceeds to the main job of starting the tellingly named script forever.sh. Triada is then used to install its malicious programs there.

Upon installation, the malware waits for commands from the C2, it uses SSL certificate pinning to protect its communication.

“Bear in mind too that the firmware of smartphones attacked by xHelper sometimes contains preinstalled malware that independently downloads and installs programs (including xHelper). In this case, reflashing is pointless, so it would be worth considering alternative firmwares for your device. If you do use a different firmware, remember that some of the device’s components might not operate properly.” continues Kaspersky.

“The malware installs a backdoor with the ability to execute commands as a superuser. It provides the attackers with full access to all app data and can be used by other malware, too, for example, CookieThief.”

The malicious code assigns the immutable attribute for all files in the target folders making it difficult to delete the malware, “because the system does not allow even superusers to delete files with this attribute.”

Experts pointed out that xHelper also modifies a system library (libc.so) to prevent infected users from re-mounting system partition in the write mode.

Replacing the modified “libc.so” using one from the original Android firmware users could re-enable mounting system partition in the write-mode and remove xHelper Android malware.

“But if you have Recovery mode set up on your Android smartphone, you can try to extract the libc.so file from the original firmware and replace the infected one with it, before removing all malware from the system partition. However, it’s simpler and more reliable to completely reflash the phone.” concludes Kaspersky.

This post xHelper, The Unkillable Android Malware That Re-Installs After Factory Reset originally appeared on Security Affairs.

Read More