This is why the vicious xHelper malware resists factory wipes and reboots

The malware is a prime example of why you should not download apps from third-party sources.

LimeRAT malware spreads via a new campaign employing an old tactic

xHelper is a particularly damaging and virulent form of malware that has become a thorn in the side of Android mobile device users. 

First spotted in March 2019 and once deemed unkillable -- but still considered very dangerous -- the mobile malware has been traced back to the download and installation of apps outside of the official Android app repository, the Google Play Store, and often disguises itself as a cleaner or speed utility. 

At least 45,000 devices have been impacted by the malware, with the majority of infections centered in Russia. 

After install, xHelper's 'utility' app vanishes and can only be viewed in the installed apps section. However, attempts to remove the app through deletion and factory resets will fail. 

While the persistence of this malware variant is well-known, Kaspersky has now provided a deep-dive into how xHelper is able to resist removal and is able to remain as dangerous, parasitic software on an impacted device. 

The malware acts as a Trojan to conduct surveillance, steal data, and is also able to download and execute other malicious programs, including Trojan-Dropper.AndroidOS.Necro.z, an advertising and nuisanceware dropper. 

See also: New 'unremovable' xHelper malware has infected 45,000 Android devices

In a blog post on Tuesday, Kaspersky researcher Igor Golovin published an analysis of the malware's persistence mechanisms. 

The payload is first encrypted in the file /assets/firehelper.jar. After connecting to a command-and-control (C2) center, the malware will scan and send device information -- including OS firmware version, manufacturer, and model -- to the C2 before fetching a dropper for another payload, the Triada Trojan, responsible for using a set of exploits to obtain device root privileges.  

Once root access has been secured, xHelper is then able to "install malicious files directly in the system partition," the researchers say, as well as change the mounting process from a default read-only mode to write mode. 

A script is then executed, aptly named forever.sh, to install patches and executables, copying itself to launch from the partition at startup. 

Kaspersky says that all files in targeted folders are assigned the immutable attribute, which is why users have a tough time removing the malware. 

"The system does not allow even superusers to delete files with this attribute," the researchers say. Kaspersky did note, however, that this mechanism can be countered by removing the attribute directly using the chattr command.

CNET: Coronavirus updates: Wuhan ends lockdown, UK prime minister in stable condition in ICU

Another persistence element described by the team is a protective layer around the partition, in which the system library /system/lib/libc.so has been tampered with through the substitution of common code used by many Android applications with its own. 

In particular, code used by the mount function is altered to stop users from mounting the system partition in write mode themselves. 

To make matters worse, xHelper also deletes root access control applications, such as Superuser.

"Using a smartphone infected with xHelper is extremely dangerous," Kaspersky says. "The malware installs a backdoor with the ability to execute commands as a superuser. It provides the attackers with full access to all app data and can be used by other malware too, for example, CookieThief."

TechRepublic: Coronavirus: What business pros need to know

Simply removing the malware's app will not destroy it, as the malicious code can reinstall itself on startup. 

All is not lost, however, if you become a victim of this malware. While Kaspersky recommends reflashing your smartphone, alternatively as previously reported by ZDNet, researchers from Malwarebytes believe they have found a way to remove xHelper.

The team has put together a series of steps to follow which should prevent xHelper reinstalling itself on a compromised device.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0