Stubborn strain of Android malware disses resets

A trojan dropper? It installs malicious APKs on your phone without your knowledge or permission, said TechRadar.

Nathan Collier, malware analyst, Malwarebytes, a company which as its name suggests is in the business of cybersecurity, knows firsthand about this malware-dropper and its persistent use of re-infection tactics.

Android Trojan xHelper is how nasty? Collier wrote that "This is by far the nastiest infection I have encountered as a mobile malware researcher." His work always led him to believe that, though the last option, a factory reset could resolve even the worst infection.

Not this time.

Actually, said Collier, the company knew about this back in 2019. Eventually, reported Dan Goodin in Ars Technica, Malwarebytes would come to learn through its Android antivirus app detection that xHelper was on 33,000 devices "mostly located in the US, making the malware one of the top Android threats."

Consider the report by Symantec back in October 2019.

"Symantec has observed a surge in detections for a malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements."

Symantec nailed its ability to reinstall itself even after users have uninstalled it. Symantec said it was designed to stay hidden. It would not be appearing on the system's launcher.

"The app has infected over 45,000 devices in the past six months." At the very start, the malware's code was relatively simple, but over time the code changed. "Initially, the malware's ability to connect to a C&C server was written directly into the malware itself, but later this functionality was moved to an encrypted payload, in an attempt to evade signature detection. Some older variants included empty classes that were not implemented at the time, but the functionality is now fully enabled. As described previously, Xhelper's functionality has expanded drastically in recent times."

By November 2019, Bruce Schneier in Security Boulevard knew this was not easy in trying to pin down the culprit. "It's a weird piece of malware," he remarked. "That level of persistence speaks to a nation-state actor. The continuous evolution of the malware implies an organized actor. But sending unwanted ads is far too noisy for any serious use. And the infection mechanism is pretty random. I just don't know."

Meanwhile, Collier brought its readers up to recent times, when "a tech savvy user reached out to us in early January 2020 on the Malwarebytes support forum: 'I have a phone that is infected with the xhelper virus. This tenacious pain just keeps coming back.'"

Again, the nastiness resided in its persistence. Collier reported that "Malwarebytes for Android had already successfully removed two variants of xHelper and a Trojan agent from her mobile device. The problem was, it kept coming back within an hour of removal. xHelper was re-infecting over and over again."

Collier said this aspect of the xHelper stands out for him because he could not recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware.

Unlike apps, directories and files remain on the Android mobile device even after a factory reset. Therefore, until the directories and files are removed, the device will keep getting infected. "Luckily, I had Amelia's help, who was as persistent as xHelper itself in finding an answer and guiding us to our conclusion."

The culprit? In 2020, Collier made some headway. He investigated and this is what he found. "Hidden within a directory named com.mufc.umbtts was yet another Android application package (APK). The APK in question was a Trojan dropper we promptly named Android/Trojan.Dropper.xHelper.VRW. It is responsible for dropping one variant of xHelper, which subsequently drops more malware within seconds."

More of the mystery wafts in: Nowhere on the device did it appear that Trojan.Dropper.xHelper.VRW was installed. "It is our belief that it installed, ran, and uninstalled again within seconds to evade detection-all by something triggered from Google PLAY. The 'how' behind this is still unknown."

Fortunately, Collier wrote about steps to follow, to address xHelper. He had detailed instructions. Collier first of all recommended installing the free Malwarebytes for Android.

He said to install a file manager from Google PLAY that had the capability to search files and directories. Amelia used File Manager by ASTRO. Collier said to disable Google PLAY temporarily, to stop re-infection. More instructions followed in the list.

Collier concluded by taking his readers into the bigger picture: we might have entered a new era in mobile malware. "The ability to re-infect using a hidden directory containing an APK that can evade detection is both scary and frustrating. We will continue analyzing this malware behind the scenes. In the meantime, we hope this at least ends the chapter of this particular variant of xHelper."

Website search

Recently updated

Bitdefender Internet Security 2018 Bitdefender Internet Security 2018 Antivirus solution with firewall, antispam, anti-ransomware, password manager, parental control, vulnerability scanner, autopilot, intrusion detection, and more
Bitdefender Total Security 2018 Bitdefender Total Security 2018 Anti-malware solution with anti-theft, anti-phishing, firewall, autopilot, rescue mode, intrusion detection, ransomware protection, parental control, browser sandbox, password manager, and more
eScanAV AntiVirus Toolkit eScanAV AntiVirus Toolkit Analyzes important areas of your computer, such as the registry, system folders, startup items, running services and the memory to detect potential dangerous content

Software News

Feb 14
At a time when cyberbullying and unhealthy messaging are running rampant online, social networking sites are grappling with how to address it.
Feb 14
It's being called nasty-oh, the reinfection of it all- and sneaky for good reason: It's all of that, known to headache-watchers as xHelper, which turns out to be of no help at all once infected. The malware xHelper was ...
Feb 13
A storyline with emotionally evocative details can reduce virtual reality cybersickness for some people, according to a new study.
Feb 13
In recent years, there has been a growing interest in using internet and mobile technology to increase access to the voting process. At the same time, computer security experts caution that paper ballots are the only secure ...
Feb 7
If you resort to deleting apps when your phone's storage space is full, researchers have a solution.
Feb 6
A flaw that gave out root privileges gets patched. It is a utility that, said Dan Goodin in Ars Technica, can be found in "dozens of Unix-like operating systems."
Feb 5
The creative force behind the Grand Theft Auto video games, Dan Houser, will leave next month the Rockstar Games firm he cofounded, its parent company said.

About us

Welcome to new crack resource! Our service can generate cracks, keygens and serials for your software to unlock it. CrackDownloadz provides a lot of popular cracks and keygens. No spyware and adware at all, just download new cracks, keygens and serials. If you have a software that needs a crack feel free to contact us.

Also you may contact us if you have software that needs to be removed from our website.