xHelper is one of the worst nightmares of Android devices. This malware was so sophisticated that, once deployed, it accesses all the root privileges and restricts even admins to control. Further, it can stay long persistently and is hard to kill even. While it was first noted by the Malwarebytes team back in February, now the Kaspersky team came with a deep explanation of how xHelper is able to survive even the factory resets!
xHelper is a Real Pain for Android Users
Android devices, especially smartphones are prone to malware infections more than iOS, blackberry or windows. This is because of the wider community base, and a prime reason for attackers to focus on creating Android malware. One of the worst malware an Android phone could get is the xHelper, which was discovered back in February by Malwarebytes. Its sophistication is defined in its hardness of removal, where it’s touted to be surviving even the extreme steps as factory reset!
New research by Kaspersky depicted how xHelper is able to survive such wipes. xHelper disguises itself as a utility app to bluff users and get installed. And once in, the so-called utility app was hidden in-app list, but not on the screen, as there’s no actual utility of it. But the xHelper malware came along with it sticks to the phone and attains root privileges.
Once installed, it stores the encrypted payload in an assets/firehelper.jar folder of the phone and plants a backdoor for procuring other payloads. Even before that, it connects to the hacker’s C2 server and sends device information like firmware, OS version, manufacturer, etc. After this, it invites a Trojan-Dropper.AndroidOS.Necro.z, an advertising dropper and a Triada Trojan for exploiting and attaining root privileges. These files are installed directly into system partition, as it would change the mountain process from read-only to write access.
Thereafter, a script named forever.sh is executed and all the targeted folders are assigned with immutable attributes, which makes it harder for the user for deletion. After all, it’s just one of much data-stealing malware ones that could be affected. And those come by installing apps from unknown sources. This xHelper is said to be infected over 45,000 devices to date, and removal is hard too. So as usual, we advise you to install apps or any other softwares from credible sources only.