CATEGORIES
home News

xHelper 'Unkillable' Malware Survives Factory Reset, Still Infecting Android Phones

by Brandon HillFriday, April 10, 2020, 10:23 AM EDT
android malware
We've discussed the rather nasty xHelper malware on a number of occasions here at HotHardware, and it's a rather insidious trojan. XHelper first started making the rounds via the Google Play Store roughly a year ago, and by October 2019, over 45,000 Android devices had fallen victim to its tainted tentacles. As of now, that number has surpassed 50,000.

The folks over at Kaspersky have performed a rather thorough analysis of xHelper, which manifests itself in Trojan-Dropper.AndroidOS.Helper.h and is typically distributed via apps that claim to clean your smartphone or boost its performance. However, once the payload is downloaded, decrypted, installed, and then launched on a device, it then downloads another piece of malware called Trojan-Downloader.AndroidOS.Leech.p.

But it doesn't stop there, Leech.p then proceeds to download HEUR:Trojan.AndroidOS.Triada.dd, which then allows root access to the device. If there's any consolation, Kaspersky notes that root access is only possible on some cheap Chinese phones running Android 6 or Android 7. With root access, it installs even more malware to the system partition. It then classifies itself as immutable so that it can no longer be deleted, making it hard for antivirus programs to properly take care of the infection.

Android

"Armed with root rights, the Trojan remounts it in write mode and proceeds to the main job of starting the tellingly named script forever.sh, writes Kaspersky's Igor Golovin. "Triada employs its best-known tricks, including remounting the system partition to install its programs there."

This is part of the reason why xHelper is considered to be "unkillable", as it manages to incorporate escalated privileges with the ability to re-download necessary components from its C&C server even when some of its files are deleted. And this infection can even persist after a device has been factory reset. 

Further compounding the issue is that many of these cheap Android devices come from the factory with malware installed in the firmware, which will then proceed to download xHelper and other offending trojans. In these cases, Golovin points out that a factory reset is often pointless, and that one of the only sure-fire ways to rid your device of the infection is to use an alternative firmware, although he notes that "some of the device's components might not operate properly."

In the end, it's best to remain vigilant when installing software on Android devices (or any device for that matter). Although the Google Play Store has had its share of malware problems, downloading apps from third-party apps stores or "untrusted sources" puts you at even greater risk to infections.

Tags:  Android, Malware, trojan, xhelper
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment