Stubborn strain of Android malware disses resets

A trojan dropper? It installs malicious APKs on your phone without your knowledge or permission, said TechRadar.

Nathan Collier, malware analyst, Malwarebytes, a company which as its name suggests is in the business of cybersecurity, knows firsthand about this malware-dropper and its persistent use of re-infection tactics.

Android Trojan xHelper is how nasty? Collier wrote that "This is by far the nastiest infection I have encountered as a mobile malware researcher." His work always led him to believe that, though the last option, a factory reset could resolve even the worst infection.

Not this time.

Actually, said Collier, the company knew about this back in 2019. Eventually, reported Dan Goodin in Ars Technica, Malwarebytes would come to learn through its Android antivirus app detection that xHelper was on 33,000 devices "mostly located in the US, making the malware one of the top Android threats."

Consider the report by Symantec back in October 2019.

"Symantec has observed a surge in detections for a malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements."

Symantec nailed its ability to reinstall itself even after users have uninstalled it. Symantec said it was designed to stay hidden. It would not be appearing on the system's launcher.

"The app has infected over 45,000 devices in the past six months." At the very start, the malware's code was relatively simple, but over time the code changed. "Initially, the malware's ability to connect to a C&C server was written directly into the malware itself, but later this functionality was moved to an encrypted payload, in an attempt to evade signature detection. Some older variants included empty classes that were not implemented at the time, but the functionality is now fully enabled. As described previously, Xhelper's functionality has expanded drastically in recent times."

By November 2019, Bruce Schneier in Security Boulevard knew this was not easy in trying to pin down the culprit. "It's a weird piece of malware," he remarked. "That level of persistence speaks to a nation-state actor. The continuous evolution of the malware implies an organized actor. But sending unwanted ads is far too noisy for any serious use. And the infection mechanism is pretty random. I just don't know."

Meanwhile, Collier brought its readers up to recent times, when "a tech savvy user reached out to us in early January 2020 on the Malwarebytes support forum: 'I have a phone that is infected with the xhelper virus. This tenacious pain just keeps coming back.'"

Again, the nastiness resided in its persistence. Collier reported that "Malwarebytes for Android had already successfully removed two variants of xHelper and a Trojan agent from her mobile device. The problem was, it kept coming back within an hour of removal. xHelper was re-infecting over and over again."

Collier said this aspect of the xHelper stands out for him because he could not recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware.

Unlike apps, directories and files remain on the Android mobile device even after a factory reset. Therefore, until the directories and files are removed, the device will keep getting infected. "Luckily, I had Amelia's help, who was as persistent as xHelper itself in finding an answer and guiding us to our conclusion."

The culprit? In 2020, Collier made some headway. He investigated and this is what he found. "Hidden within a directory named com.mufc.umbtts was yet another Android application package (APK). The APK in question was a Trojan dropper we promptly named Android/Trojan.Dropper.xHelper.VRW. It is responsible for dropping one variant of xHelper, which subsequently drops more malware within seconds."

More of the mystery wafts in: Nowhere on the device did it appear that Trojan.Dropper.xHelper.VRW was installed. "It is our belief that it installed, ran, and uninstalled again within seconds to evade detection-all by something triggered from Google PLAY. The 'how' behind this is still unknown."

Fortunately, Collier wrote about steps to follow, to address xHelper. He had detailed instructions. Collier first of all recommended installing the free Malwarebytes for Android.

He said to install a file manager from Google PLAY that had the capability to search files and directories. Amelia used File Manager by ASTRO. Collier said to disable Google PLAY temporarily, to stop re-infection. More instructions followed in the list.

Collier concluded by taking his readers into the bigger picture: we might have entered a new era in mobile malware. "The ability to re-infect using a hidden directory containing an APK that can evade detection is both scary and frustrating. We will continue analyzing this malware behind the scenes. In the meantime, we hope this at least ends the chapter of this particular variant of xHelper."

Website search

Recently updated

VIRUSfighter VIRUSfighter An antivirus software that provides protection against various threats, cleans up malicious components and runs discreetly in the background
AVG Internet Security AVG Internet Security Safely browse the Internet, stay protected and prevent data theft attempts and periodically scan your computer for virus threats
AVG Antivirus Free AVG Antivirus Free Top-grade antivirus application with basic protection against all forms of malware, in addition to email, identity and web browsing safety

Software News

Apr 1
What does the design of a building or bridge have in common with an electric circuit or a loudspeaker? Well, if you want it done properly, then you the need ability to solve eigenvalue problems.
Mar 31
A new social music app is pushing the boundaries of music creation by making recording artists out of novices with little to no musical training or traditional talent.
Mar 31
Microsoft is overhauling its Office 365 subscription with a new focus on consumers, changing the name to Microsoft 365 and throwing in tons of new features for Word, Excel, PowerPoint, Outlook and Skype.
Mar 25
My biggest worry so far in "Animal Crossing: New Horizons?" Whether I remembered to water my newly-planted pear trees.
Mar 25
Our world has been shaken by a deadly microscopic virus that has forced us to change the routines of our lives in major ways, routines that may never completely return to normal.
Mar 20
It appears Google is preparing to roll out a new file sharing feature when it unveils Android 11 later this spring.
Mar 18
Virtual reality headsets and application programs for VR are not gaining traction with users because of a chicken-and-egg dilemma, lack of VR content and slow market penetration of custom-made VR units.

About us

Welcome to new crack resource! Our service can generate cracks, keygens and serials for your software to unlock it. CrackDownloadz provides a lot of popular cracks and keygens. No spyware and adware at all, just download new cracks, keygens and serials. If you have a software that needs a crack feel free to contact us.

Also you may contact us if you have software that needs to be removed from our website.