30 October 2019

New ‘unremovable’ trojan infected over 45,000 Android devices in the past 6 months

New ‘unremovable’ trojan infected over 45,000 Android devices in the past 6 months

Researchers at Symantec have spotted a new malware that hides on the infected devices and is capable of reinstalling itself even after users delete it, or factory reset their devices. In the last six months, the malware dubbed Xhelper has already infected more than 45,000 Android devices, with the highest rates of infections detected in India, U.S., and Russia, and is continuing to spread by infecting at least 2,400 devices on an average each month.

First variants of xHelper were observed in March this year when the malware’s code was relatively simple. Since then the code received some additional functionality, including anti-detection capabilities, suggesting that the malware’s source code is still being developed.

The malware delivered in the form of a malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements. Xhelper is an application component and does not provide a regular user interface. It doesn’t show up in the device’s application launcher that makes it easier to remain hidden from users, the researchers explained.

While Symantec research team hasn’t been able to identify the infection vector used by the threat actor behind the xHelper, the experts believe that the malware is downloaded by a malicious system app that comes pre-installed on certain smartphone brands.

"None of the samples we analysed were available on the Google Play Store, and while it is possible that the Xhelper malware is downloaded by users from unknown sources, we believe that may not be the only channel of distribution. From our telemetry, we have seen these apps installed more frequently on certain phone brands, which leads us to believe that the attackers may be focusing on specific brands," the researchers wrote.

Once installed on the victim device, Xhelper decrypts to memory the malicious payload embedded in its package. That payload then connects to the attacker’s command and control (C&C) server and waits for commands. To secure a communication channel a technique known as SSL certificate pinning is used.

To launch itself the malware relies on some external events triggered by users, like connecting or disconnecting compromised device from a power supply, installing or uninstalling apps, or rebooting a device.

Once launched, the malware connects to the C&C server and downloads additional payloads, like droppers, clickers, and rootkits.

"We believe the pool of malware stored on the C&C server to be vast and varied in functionality, giving the attacker multiple options, including data theft or even complete takeover of the device," Symantec said.

Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Debian update for postgresql-common
Low Patched | 15 Nov, 2019
Cross-site scripting in Pimcore
Low Patched | 15 Nov, 2019
Multiple vulnerabilities in Pimcore
Medium Patched | 15 Nov, 2019