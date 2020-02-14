Credit: CC0 Public Domain

It’s called evil – oh, the reinfection of everything – and sneaky for a reason: it’s all what headache watchers know as xHelper, which turns out once it’s infected. The xHelper malware has been identified as a Trojan dropper.

A trojan? It installs malicious APKs on your phone without your knowledge or permission TechRadar,

Nathan Collier, malware analyst at Malwarebytes, a company that, as the name suggests, is active in cybersecurity, knows firsthand about this malware dropper and its continued use of re-infection tactics.

Android Trojan xHelper is how evil? Collier wrote: “This is by far the worst infection I’ve seen as a mobile malware researcher.” His work always made him believe that a factory reset, though the last option, could fix the worst infection.

Not this time.

In fact, Collier said, the company already knew about it in 2019. Finally, Dan Goodin reported in Ars TechnicaMalwarebytes learned from the detection of the Android antivirus app that xHelper was on 33,000 devices “mainly located in the United States, making malware one of the biggest threats to Android”.

Consider the Symantec report in October 2019.

“Symantec has seen a surge in detections for a malicious Android application that can hide from users, download additional malicious apps, and display advertisements.”

Symantec managed to reinstall itself after users uninstalled it. Symantec said it was designed to be hidden. It would not appear on the system launcher.

“The app has infected over 45,000 devices in the past six months.” Initially, the malware code was relatively simple, but over time the code changed. “Initially, the malware’s ability to connect to a C&C server was written directly into the malware itself. Later, this functionality was moved to an encrypted payload to avoid signature detection. Some older versions contained empty classes that if not implemented Die Zeit, but the functionality is now fully activated. As already described, the functionality of Xhelper has been drastically expanded recently. “

Until November 2019 Bruce Schneier was in Security Boulevard I knew that it was not easy to find the perpetrator. “It’s a strange piece of malware,” he said. “This level of persistence appeals to a nationwide actor. The ongoing evolution of malware implies an organized actor. However, sending unwanted ads is too loud for serious use. And the infection mechanism is pretty random. I just don’t know.” knows.”

In the meantime, Collier brought his readers up to date when “a tech-savvy user contacted us at the Malwarebytes support forum in early January 2020: ‘I have a phone infected with the xhelper virus. This persistent pain always comes back again.'”

Malice again lay in her persistence. Collier reported that “Malwarebytes for Android has successfully removed two variants of xHelper and a Trojan from their mobile device. The problem was that it kept coming back within an hour of being removed. XHelper kept getting infected.”

Collier said that this aspect of the xHelper struck him because he couldn’t remember a time when an infection persisted after a factory reset unless the device had pre-installed malware.

In contrast to apps, directories and files are retained on the Android mobile device even after a factory reset. Therefore, the device is infected until the directories and files are removed. “Fortunately, I had Amelia’s help, who was just as persistent as xHelper himself, to find an answer and lead us to our conclusion.”

The culprit? Collier made some progress in 2020. He did some research and he found it. “Another Android application package (APK) was hidden in a directory called com.mufc.umbtts. The APK in question was a Trojan dropper, which we immediately referred to as Android / Trojan.Dropper.xHelper.VRW He is responsible for deleting a variant of xHelper, which then removes more malware within seconds. “

Other puzzles are solved: Trojan.Dropper.xHelper.VRW did not seem to be installed anywhere on the device. “We believe it installed, ran, and uninstalled within seconds to avoid detection – all by something triggered by Google PLAY. The” how “behind it is still unknown.”

Fortunately, Collier wrote about the following steps to address xHelper. He had detailed instructions. Collier initially recommended installing the free Malwarebytes for Android.

He said he should install a Google PLAY file manager that could search files and directories. Amelia used ASTRO’s file manager. Collier said to temporarily disable Google PLAY to stop re-infection. Further instructions follow in the list.

Collier concluded by looking at his readers: We may have ushered in a new era of mobile malware. “The possibility of re-infection using a hidden directory with an APK that is beyond detection is both frightening and frustrating. We’ll continue to analyze this malware behind the scenes. In the meantime, we hope this is at least the chapter of this certain variant ended by xHelper. “

Cat Ellis, TechRadar: “If you see new app and notification icons that you don’t recognize, there is a possibility that your phone has been infected with this type of malware, although this is not always obvious. Malware is often disguised as legitimate system applications. The icons can be hidden . ”

