Researchers at Symantec have spotted a new malware that hides on the infected devices and is capable of reinstalling itself even after users delete it, or factory reset their devices. In the last six months, the malware dubbed Xhelper has already infected more than 45,000 Android devices, with the highest rates of infections detected in India, U.S., and Russia, and is continuing to spread by infecting at least 2,400 devices on an average each month.
First variants of xHelper were observed in March this year when the malware’s code was relatively simple. Since then the code received some additional functionality, including anti-detection capabilities, suggesting that the malware’s source code is still being developed.
The malware delivered in the form of a malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements. Xhelper is an application component and does not provide a regular user interface. It doesn’t show up in the device’s application launcher that makes it easier to remain hidden from users, the researchers explained.
While Symantec research team hasn’t been able to identify the infection vector used by the threat actor behind the xHelper, the experts believe that the malware is downloaded by a malicious system app that comes pre-installed on certain smartphone brands.
"None of the samples we analysed were available on the Google Play Store, and while it is possible that the Xhelper malware is downloaded by users from unknown sources, we believe that may not be the only channel of distribution. From our telemetry, we have seen these apps installed more frequently on certain phone brands, which leads us to believe that the attackers may be focusing on specific brands," the researchers wrote.
Once installed on the victim device, Xhelper decrypts to memory the malicious payload embedded in its package. That payload then connects to the attacker’s command and control (C&C) server and waits for commands. To secure a communication channel a technique known as SSL certificate pinning is used.
To launch itself the malware relies on some external events triggered by users, like connecting or disconnecting compromised device from a power supply, installing or uninstalling apps, or rebooting a device.
Once launched, the malware connects to the C&C server and downloads additional payloads, like droppers, clickers, and rootkits.
"We believe the pool of malware stored on the C&C server to be vast and varied in functionality, giving the attacker multiple options, including data theft or even complete takeover of the device," Symantec said.