New 'Unremovable' XHelper Malware Has Infected 45,000 Android Devices

An anonymous reader quotes a report from ZDNet: Over the past six months, a new Android malware strain has made a name for itself after popping up on the radar of several antivirus companies, and annoying users thanks to a self-reinstall mechanism that has made it near impossible to remove. Named xHelper, this malware was first spotted back in March but slowly expanded to infect more than 32,000 devices by August (per Malwarebytes), eventually reaching a total of 45,000 infections this month (per Symantec). The malware is on a clear upward trajectory. Symantec says the xHelper crew is making on average 131 new victims per day and around 2,400 new victims per month. Most of these infections have been spotted in India, the U.S., and Russia.

According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan. The good news is that the trojan doesn't carry out destructive operations. According to both Malwarebytes and Symantec, for most of its operational lifespan, the trojan has shown intrusive popup ads and notification spam. The ads and notifications redirect users to the Play Store, where victims are asked to install other apps -- a means through which the xHelper gang is making money from pay-per-install commissions. What's interesting about xHelper is that it gains access to an Android device via an initial app and installs itself as a separate self-standing service. Furthermore, you can't remove the app, as the trojan reinstalls itself every time, even after users perform a factory reset.

Re:

[Ultra64]

"How could people purposefully install software on their own devices??"

Re:

[sleeves]

Glad I don't sideload.

Re: wow

[Mike Buddha]

I'm glad I'm not stupid and reckless about what I install.

Re:

[Artem S. Tashkinov]

I do but then I check such apps using virustotal.com.

And even if I sideload an app I make sure the APK is digitally signed and I'm OK with the requested permissions and the app doesn't contain native code (which automatically raises all possible alarms).

"even after users perform a factory reset"

[whoever57]

Or, to put this another way "factory reset" does nothing of the kind.

Login, SD restore personalized settings after rese

[raymorris]

I haven't had the opportunity yet to forensically examine this particular malware, but I have an educated guess on that.

When I got a new phone, I logged in with my Google account and after clicking a couple of prompts my new, factory-fresh, phone had all my apps and data, just one my old phone. Very handy. Much of my data and some of my apps are in my SD card. When I install Chrome on a new device (or log into Chrome), I get all my Chrome settings and bookmarks on the new device. That's also convenient.

I suspect AFTER factory reset clears the phone (but not the "external" SD card), users then login with their existing Google account and often select the option to set everything up back the way they had it. That would include their Chrome home page, hacker.com, which redirects to Google after it does its nastiness. It would also include the Chrome setting to warn about apk files.

The malicious app probably also installs itself on the SD card. That's what I would do if I were a bad guy, with users following my instructions to install my trojan.

So it may well be that factory reset is just exactly like a factory-fresh phone - which stops being factory-fresh after the user asks for their "new" phone to be set up just like it used to be.

My understanding is that factory reset deletes the encryption key for the writeable partition and generates a new one. That would indeed make it like new. Except fot the removable SD card. But only until thr user logs in and clicks "reinstall all the apps and settings I used to have".

Re:Login, SD restore personalized settings after r

[drinkypoo]

Factory reset quick formats the data and cache partitions. All the data remains. IF you have encrypted your device, then it behaves as you describe, and the existing data is unrecoverable, but it still doesn't affect the system partition. Some devices encrypt by default, some don't.

Google doesn't restore non-play-store apps to your device. It does restore settings. But if the user is being infected by sideloaded apps, they would still have to manually reinstall it. And they'd still be asked if they want to install the APK, even if they weren't warned that it was a bad idea.

Re:

[kurkosdr]

The SD card (internal and external SD) is irrelevant when it comes to Android malware. There is no executable data on there, only non-executable files and APK files which the user has to go out of their way to install. The malware, once installed, uses a root exploit on unpatched devices (most Android devices are unpatched) and copies itself to the system partition, essentially becoming part of the OS image, to persist factory resets.

Re:"even after users perform a factory reset"

[drinkypoo]

It doesn't. It notably doesn't affect the system partition. It wipes data and cache. It also leaves the SD card (or any virtual SD card partitions) alone. So either:

1. They have figured out how to get an app to auto install from one of the user writable partitions that isn't wiped in a so called factory reset
2. They have found a way to alter the system partition.
3. They have subverted security on the bootloader or recovery partition.

If the answer is 3 then things are potentially very bad. The user often cannot rewrite the bootloader. If the bootloader is unlockable, they can replace the recovery image, however.
If the answer is 2, things are moderately bad, but one can often download a system image from the vendor, or from XDA-Developers, and rewrite it with fastboot.
If the answer is 1, that should be easy to defeat. So 2 seems more likely to me.

If I had to guess, and I do because I haven't got this problem, the answer is 2. But then, even the chuckleheads at Symantec should be able to figure that one out...

Re:

[LynnwoodRooster]

Why figure it out and say what is the issue? MUCH better to scream about an "unremovable malware!" that requires one to buy their expensive software...

Re:

[msauve]

" doesn't affect the system partition. It wipes data and cache. It also leaves the SD card (or any virtual SD card partitions)"

Please point to a newer phone which still supports SD cards. Bonus if it also has a user replaceable battery and an audio jack.

It would be interesting to know what phones, and what Android versions, this affects. Does it affect phones with signed partitions?

Re:

[drinkypoo]

They discontinued it, but the moto x4 has the headphone jack and the sd card slot. I got mine for $150, Android one edition. Normal MSRP was around $400. But Motorola hasn't committed to bringing out Android 10 for it, and I suspect that they're going to kill time until they don't have to. They claim they're evaluating it, but betas have been out for ages, they didn't bother to evaluate those? Other vendors are shipping updates already.

I sure hope they don't fuck this up or my choices for phones with update

Moto e5 line (several versions)

[raymorris]

The Moto e5 is another line that has these things. There are several different phones in the line.

So thay at least two Motorola lines. I wouldn't be surprised if other Motorola phones do as well.

Re:

[msauve]

"my choices for phones with updates and unlockable bootloaders will be Samsung"

You've apparently not heard of the Google Pixels. Last Samsung I dealt with had some "Knox" bullshit, a bunch of proprietary OS changes which were unreliable, and it all seemed to be getting worse.

Re:

[drinkypoo]

They tendy to be spendy. I sure hope this X4 lasts a while.

Re:

[msauve]

3a$400, MSRP. Define "spendy."

Re:

[msauve]

/. sucks with formatting.

3a < $400."

Re:

[drinkypoo]

Yeah, but I paid less than half that for my X4, which meets my needs. I don't need a badass phone. It just has to have decent performance (not choking on basic tasks), water resistance, a headphone jack and a uSD slot. I use those. Oh yeah, and an unlockable bootloader so I can repurpose it later.

Like I said though, hopefully my current phone will last a while. I'm happy with it. If it had a removable battery I'd be ecstatic.

Re:

[msauve]

Fair enough. Swappa is your friend.

Re:

[drinkypoo]

Fair enough, I try not to buy Samsung products anyway. I do have a Samsung 25.5" monitor which I got at a yard sale for fifty bucks, and recapped for another twenty-five or so when it got flickery. It gets ridiculously hot, though, so I don't think I'd buy another one. I was using it before I took it out to repair, and by the time I got it open the shields were still too hot to hold. No wonder those poor caps leaked.

Re:

[kurkosdr]

My HTC U11+ does MicroSD cards. No replaceable battery or headphone jack though.

Re:

[rriven]

Please point to a newer phone which still supports SD cards. Bonus if it also has a user replaceable battery and an audio jack.

The Note 10+ has an SD card and was released Aug 2019, not sure if that is new enough for you.

Re:

[GuB-42]

Please point to a newer phone which still supports SD cards. Bonus if it also has a user replaceable battery and an audio jack.

Almost all Android One devices support SD cards and have a headphone jack.
Removable batteries are much rarer but the Nokia 2.2 matches all your requirements.

Re:

[mikechant]

Please point to a newer phone which still supports SD cards. Bonus if it also has a user replaceable battery and an audio jack.

Just bought a new Moto G7 power. Supports SD cards, has headphone socket, and I'm using both.

(Battery not easily replaceable but it has a ridiculously large battery which lasts for up to a week so it would probably be OK even if at 60% capacity. £159.99 in the UK, unlocked. Highly recommended for anyone looking to spend that sort of amount who wants battery life but isn't too

Re: "even after users perform a factory reset"

[Z00L00K]

Not all system vendors offers a system image to reinstall the device with.

Re:

[drinkypoo]

This is true, which is why I never claimed otherwise.

However, you can often find unofficial factory images on XDA-Devs.

Re:

[GuB-42]

4. The malware really is gone after the factory reset but it comes back though an vulnerability/backdoor in the original firmware.
5. The user reinstalled the malware.

Number 5 may seem stupid but you shouldn't underestimate stupidity.

Best article for re-installing Android?

[Futurepower(R)]

What is the best article for re-installing Android or loading a later version of Android?

Here is one: How do I reinstall Android OS and all default drivers in a mobile phone? [quora.com]

Re:

[drinkypoo]

The best thing IMO is to go to the XDA-Developers forums for your device. There you will find unlock instructions, flashing instructions, drivers, and system images - usually both factory and custom ones, assuming your bootloader is unlockable. But this is slashdot, so surely we're all smart enough to have done our homework and buy unlockable devices, right? Right? Bueller?

Re:

[ctilsie242]

XDA is where I go to do research if a phone is worth getting. For example, if a phone has no factory restore flash, no SD card, no way to unlock the bootloader, e-Fuses, and has generous heapings of bloatware that can't be disabled, I'll pass it by.

There has to be a market for phones with unlockable bootloaders, and SD card slots. I wish someone out there would see this and make something. Bonus if there is LineageOS support out of the box.

Re:

[drinkypoo]

"There has to be a market for phones with unlockable bootloaders, and SD card slots. I wish someone out there would see this and make something."

Most Motorola phones fit this description. Last I looked, most Sony and Samsung phones did as well. I know both Moto and Sony still offer unlocking. Moto even offered both of those things plus a headphone jack AND a removable battery in at least one model that I noticed while ordering my X4, which has all of that except the user-swappable battery, plus standards-co

Re:

[ctilsie242]

The only vendor I know of that is using decent SoCs is the Librem group, and I've yet to see reports of an actual product. However, the SoC models they are using are designed for industrial uses, and have a 20+ year supported life.

Re:

[drinkypoo]

How do you define decent? And how do you ensure 20 years of support? Both seem unrealistic, and the later seems even moreso without fully open sourced drivers. As I understand it that's a goal which they haven't realized yet, to say nothing of putting devices in the hands of customers and not only those of employees.

No such thing as unremovable

[drinkypoo]

How have the antivirus companies not been able to figure this one out? Comparing the before and after for the various parts of the system ought to be simple enough, down to the bit level if necessary. It should be easy enough to get a device infected so it can be compared.

Re:

[kurkosdr]

In Android, antivirus apps don't have root access so they cannot check the system partition. Malware using root exploits can copy itself to the system partition though and persist factory resets that way.

Re:

[drinkypoo]

"The cure? Go with iOS. It is pretty much 100% secure from this."

As shipped it's secure from attacks from sideloaded apps, because it doesn't permit that behavior. But Apple has delivered malware via their store before, so it is clearly not 100% secure. Hence your weasel words, of course.

Whats the problem?

[Retired ICS]

So some people deliberately install crap on their devices and then suffer the consequence of their actions. What is the problem? These poor butterflies should STFU, this is how the real world works.

If you drink a lot of alcohol you might fall down and crack your head open on the sidewalk and die. This is a consequence of your decision to get drunk and is not the fault of the company that made the cement, poured the concrete, or sold you the alcohol. It is solely and entirely your own fault for drinking

Re:

[msauve]

You must be an old fart.

Welcome to the modern world, where there is no personal responsibility. It's never _your_ fault - it's the government for not protecting you, or basically any "deep pockets" you can sue. Get shot by a reprobate? Sue the gun manufacturer! Spill hot coffee on yourself? Sue Micky D's!

Re: Whats the problem?

[Malays Boweman]

"Spill hot coffee on yourself? Sue Micky D's" This is a very common falsehood about that case. Look it up, McDonalds served the coffee at a far higher temperature than they were supposed to. The injuries that woman sustained were vere gruesome, so she had every right to sue and win.

Re:

[msauve]

Bullshit. There are different ways of making coffee, including boiling. Coffee can be at any temperature below boiling, despite your expectations. Don't assume.

Pro Tip

[IWantMoreSpamPlease]

Turn off Java Script when you browse, and only turn it on for a site you absolutely trust.
Solves all manner of issues.

Mod parent up

[JustAnotherOldGuy]

Turn off Java Script when you browse, and only turn it on for a site you absolutely trust.
Solves all manner of issues.

^^^THIS

Yep, between NoScript and Adblock I've never (to my knowledge) been infected.

Disabling javascript except when required will do more to improve your security than all the anti-virus software in the world.

Re:

[transporter_ii]

Sandboxie sandbox has been made free. They say they want to open source it at some point.

Re: Pro Tip

[Malays Boweman]

"Turn off Java Script when you browse, and only turn it on for a site you absolutely trust. Solves all manner of issues" Now if there is only a way to install a control on my mobile browser, like I did my desktop where I can switch it on and off with a single button, instead of slogging through layers of menus. I switch JS off when a site decides to be very abusive and covers the content I want to see, but other sites absolutly require JS turned on to view even the most basic content.

Such a small number

[LynnwoodRooster]

There are over 2.5 billion Android devices out there [theverge.com], 45,000 is, rounded to to nearest 1/100th of 1 % - zero.

BS

[Artem S. Tashkinov]

Furthermore, you can't remove the app, as the trojan reinstalls itself every time, even after users perform a factory reset.

This sounds like complete and utter BS unless this trojan gets root access which is generally impossible. Factory reset wipes everything from the Android phone, sans the system partition and a few auxiliary partitions with the bootloader, firmware, etc. but they are all RO for the user and you can't modify them.

Re:

[kurkosdr]

With so many unpatched devices out there, rooting via an app a thing. Basically the malware gets root access via an exploit and then modifies the system partition to copy itself there. That's the only way for something to persist a factory reset in Android.

Log file of the malware

[grasshoppa]

!X id1

id1: Friar Tuck... I am under attack! Pray save me!
id1: Off (aborted)

id2: Fear not, friend Robin! I shall rout the Sheriff
          of Nottingham's men!

id1: Thank you, my good fellow!

For those that get the joke; you're my people.

Re:

[jeek]

Thank you. You just made my day, and it's only 3am.

Re:

[aitikin]

Thank you for that!

Hmmm...

[TheOnlyJxnas]

Maybe what you could try ON SAMSUNG PHONES ONLY is repartitioning the device and erasing the NAND using Odin, then also erasing the SD Card and creating a new google Account. If all of this wouldn't help I don't know.