All your Android are belong to xhelper

(Adopts inspecific phony accent) “Like shooting phish in barrel, da?”

Somebody set up us the bomb

Most tech-savvy people have a vague idea that it’s a bad idea to get phone apps from unknown sources, but at least there is some effort to curate the official app stores from providers like Apple and Google. Unfortunately, even those can fall prey to badly behaved programs, and before you know it, you have willingly provided your face and personal information to questionable actors in North Asia. But if nothing else, those can be cleanly uninstalled.

All bets are off when you side-load an app (i.e., use a work-around method to install it locally from a downloaded file), or worse, if you get a used phone with a malicious kit preinstalled. According to Symantec and picked up by a variety of tech news outlets this week including Cisomag and The Hacker News, an aggressive new malware named “xhelper” has been found on at least 45,000 Android devices since spring of this year and seems to be gaining another 2,400 or so each month.  And it is a doozy.

I’m sorry, Dave, but I can’t allow that

When infected, the malware appears as xhelper in an Android services window under settings. It installs as a foreground service and thus can’t be dismissed like a regular application. Its exact method of spread is still somewhat mysterious, along with its stubborn persistence. Symantec indicates that it is very good about restarting itself if manually stopped in the Settings, and frequently reappears in the system after a factory reset. In other words, the behavior of a classic PC rootkit.

The infection source is also uncertain. It may be propagated by malicious websites or malvertising that convinces a user to walk through the side-loading process. Another possibility is that it is being preloaded on low-cost new or used phones. The target countries for dissemination appear to be mainly the US, India, and Russia. Symantec first noticed it in March and observed the codebase becoming more sophisticated as the year progressed.

So far xhelper’s activity seems centered around creating nuisance pop-up advertisements and redirecting the user to install Play Store apps that probably earn pay-per-install revenue for the malware coders. According to Symantec, however, it has much worse potential, including remote update capabilities. An NSA-style total compromise of the infected device is a real possibility if the authors decide to go that route.

Remedy and avoidance

At this point, some users are reporting success removing it with common Android antivirus apps available from the Play Store. However, it sometimes reappears. At this point, it probably depends which codebase has infected the device and whether the AV writers have caught up to it yet — an ongoing game of whack-a-mole. So, just to reiterate the standard security advice:

  • Avoid installing any new apps unless you know exactly what they are and want them on your device.
  • Take note of permissions. Android 10, in particular, has dialed up the permissions security significantly; don’t get into a habit of just clicking through those.
  • Be very cautious about purchasing used hardware, or cheap new hardware from gray-market sources.
  • Unless you know exactly what you are doing and why, never install apps using instructions that require you to obtain the initial program file anywhere except through your device’s curated app store, especially if it requires you to perform a special phone reboot procedure to do it.

Regarding that last one: some legitimate apps will permit a “lite” or ad-sponsored version to be installed from the curated store, and then install additional paid content from the vendor’s source if you buy the premium version or add microtransaction content. Ideally, the original app should come from the curated store, the transaction should take place using the curated store’s checkout mechanism, and the upgrade should be performed entirely within the app.

Those steps will not guarantee absolute safety, but they will improve your chances of avoiding malicious software, or at least being able to get rid of it if you get tricked into installing a curated app that does more than you expected.

Aaron Vienot

Engineer by day, hobbyist by night, occasional contributor, and full-time wise guy.

avatar
  Subscribe  
Notify of

Pin It on Pinterest

Share This