A new strain of Android malware called “xHelper” has been spotted and is currently earning notoriety among cybersecurity experts and users as it has already targetted 32,000 devices by August, which eventually grew to 45,000, according to recent data. The malware strain is extremely persistent (and utterly annoying) as it has the capability to reinstall itself after being removed from the infected devices, making it almost impossible to eradicate.
There were two cybersecurity teams that have already reported about the existence of the xHelper, Symantec, and Malwarebytes. Both teams were able to spot and discover the malware and categorized them in the most detected malware in the past few months.
As per Symantec, the xHelper trojan has been infecting thousands of devices, and the number of infections is growing by the day. In their estimate, an average of 131 new victims per day and around 2,400 new victims per month were recorded. The experts also said that most of these infections were from devices in India, the U.S., and Russia.
Malwarebytes explained that the device could be infected by the malware “web redirects” that send users to web pages hosting Android apps. These sites contain instructions on how to side-load applications that cannot be downloaded from the official app marketplaces like Google Play Store. Researchers said that there are codes hidden in the third-party apps that would download the xHelper malware when installed.
As of the recent strain that was spotted by the researchers, the malware does not carry out dangerous operations. In the worst-case scenario, the xHelper malware has shown intrusive popup ads and notification spam, which redirect users to the Play Store in order to install new applications. The hackers and developers of the malware are earning through invasive advertising and pay-per-install commissions.
The researchers noted that xHelper malware is very “interesting” as it does not work like any other Android malware. The moment that the malware gains access to the Android device through the installation of an infected application, the malware will self-install as a totally independent service. This means that even if users uninstall the application where the malware was delivered, the trojan will continue to deliver intrusive pop-ads and mobile redirects.
Worse, even if the user was able to locate the app location for the actual xHelper malware and uninstall it from the device, it will continue to persist as it has the capability of reinstalling itself after it was deleted. The self-reinstallation function of the malware even works after users perform a factory reset of their devices.
While researchers believe that the strain that is currently in the wild is not dangerous as it does not mess up with the device’s system app operations, Symantec’s experts said that they have reasons to believe that the xHelper malware is a “work in progress.” The experts are currently investigating the possible evolution of the malware.
“Initially, the malware’s ability to connect to a C&C server was written directly into the malware itself, but later this functionality was moved to an encrypted payload in an attempt to evade signature detection. Some older variants included empty classes that were not implemented at the time, but the functionality is now fully enabled. As described previously, Xhelper’s functionality has expanded drastically in recent times,” Symantec said.
“We strongly believe that the malware’s source code is still a work in progress. For example, we spotted many classes and constant variables labeled as “Jio,”” indicating possible future interest in Jio users, the largest 4G network in India.”