Hardly removable Xhelper malware targets thousands of Android phones

Highly persistent Android malware Xhelper entered the Android scene, and the infection rate keeps growing

Security experts claim Xhelper Android malware is looking forward to infecting 2,400 devices monthly

New Android malware, dubbed Xhelper, has been targeting devices mostly in the United States, Russia, and India. During the past six months, the malicious payload was successfully installed on around 45,000 mobile devices already, and, as recent statistics show, it triggers 131 infections daily, with approximate 2,400 persistent infiltrations monthly.^[1]

Hundreds of users rushed Reddit and other message boards to complain about the mysterious Xhelper malware that does not get removed, even after they reboot or even factory reset their phones, as it keeps reinstalling continually. Additionally, most anti-virus software is not able to detect and shut down the infection permanently either, so users keep suffering from persistent, annoying pop-up notifications and similar ads.^[2]

Xhelper distribution methods still unclear: third-party Android app sites suspected

According to cybersecurity reports from Symantec, Xhelper was first spotted in March 2019. Even though it is not currently precisely known what type of sources the malware is coming from, cybersecurity specialists speculate that it comes from unreliable Android applications that can be found in various third-party websites but not in Google Play:

None of the samples we analyzed were available on the Google Play Store, and while it is possible that the Xhelper malware is downloaded by users from unknown sources, we believe that may not be the only channel of distribution.

It is not a secret that malicious apps sometimes manage to bypass scanners of the official App sources such as Google Play or App Store.^[3] Thus, it is unsurprising that third-party sites, which do not have significant resources to check all the incoming apps, would host malware-induced applications.

However, researchers claim that rogue third-party apps might not be the only method used for Xhelper distribution,^[4] as they have spotted that the malware is more likely to target specific phone brands. It is known that some of the cheap phone brands sometimes come pre-installed with malicious modules that might later download the malware. Nevertheless, since Xhelper does not gets removed by factory reset, it is unlikely that malware is embedded within the system.

Xhelper's module has been highly-developed since its first appearance in May 2019

When Xhelper was first released, the malware included a very simple module, and its main function was to redirect users to advertisement-filled websites for monetization purposes. However, the goal and module of this malware have changed since the past months.^[5]

Now, Xhelper can avoid signature detection when the capability of communicating via a Command and Control server was transferred to the encrypted payload, whereas in the past, it was included in the trojan itself. Symantec speculates that the malware might still be a work in progress and might be aiming to target users of Reliance Jio Infocomm Limited^[6] that is India's largest 4G network.

Xhelper malware is not included in the device's application launcher, and this allows it to execute its malicious commands and carry out different tasks in the background. The malware is executed remotely whenever a mobile device is restarted, the user (un)installs a program on it, or connects/disconnects the Android phone from a battery charging service. Afterward, the trojan uses specific tactics such as including itself as a foreground service to avoid deactivation if the phone runs into low memory space or reboots itself automatically if the malicious process is corrupted.

When Xhelper has reached its target, it can start executing various malicious activities. If successful C&C communication by using SSL certificate pinning is performed, the trojan will supposedly drop malicious content such as rootkits, clickers, and other unknown payloads on the device. Finally, the malware might attempt to harvest personal information and gain control of the user's Android phone system, as well as files stored on it:^[7]