Researchers observed a persistent malicious Android dropper app dubbed XHelper capable of reinstalling itself again if users uninstalled from the devices.
The malicious app is persistent, once the app installed it hides and downloads other malware, displays pop-up ads. The malware found to be downloaded from unknown sources, not available with Google play.
Mysterious origins
While the exact origins of the malicious app packed with the Xhelper malware is being actively investigated, Symantec suspects the infection is possibly downloaded by users from unknown sources via a malicious system app that’s persistently downloading the malware despite users performing factory resets and manually uninstalling it.
MalwareBytes researchers, on the other hand, believe it’s being spread via shady game websites that tricks unsuspecting users into downloading apps from untrusted third-party sources.
Aside from operating silently in the background, xHelper takes its stealth behavior to new heights by not creating an app icon or a shortcut icon on the home screen launcher. The only indicator is a listing in the app info section of the infected phone’s settings.
The lack of an app icon means the malware cannot be launched manually. But to get around the problem, it relies on external triggers — like connecting or disconnecting the infected device from a power supply, rebooting a device, or installing or uninstalling an app — to run itself as a foreground service that minimizes the chance of getting killed.
Android Trojan xHelper
The malware was spotted in earlier May and slowly it climbs to the list of top 10 mobile malware, it targets Android users by masquerade the name of legitimate apps.
Threat actors behind XHelper malware primarily target the Android users in India, the U.S., and Russia. The malicious app infects more than 45,000 devices in the past six months.
Several users complained about the XHelper malware on various online forums, states that “antivirus app didn’t detect it”.
According to Symantec analysis, the “XHelper doesn’t have a regular user interface, it is an application component and it won’t be listed in the device’s application launcher. This makes malware more stealthy and performs its malicious activities undercover.”
The mysterious malware cannot be launched manually as it has no available icons, it initiates automatically under certain external events such as the device “connected to or disconnected from a power supply, the device is rebooted, or an app is installed or uninstalled.”
“Once launched, the malware will register itself as a foreground service, lowering its chances of being killed when memory is low and connect’s to attackers C&C server and wait for commands. To avoid communication interception SSL certificate pinning is used.”
Earlier Malwarebytes noted that the xHelper malware has Full-stealth & semi-stealth versions. Both the versions hide from the App launcher, the only difference is that the semi-stealth version creates icon “xHelper” in notifications, the full-stealth version deletes all traces.
With full-stealth version, the xHelper appears only in-app info section.
Once it successfully installed in the device it communicates wit C&C and capable of downloading droppers, clickers, and rootkits to the compromised device.
Researchers believe the development of the app still in progress and they suspect, the attackers may target users of India’s largest 4G network by masquerading the Jio app.
Some users said that they suppressed Xhelper activity by turning off permissions and locking them using app lock software. Some users said that “tried denying permissions to xHelper without uninstalling, but it turned on all permissions again.”
