H L Data Storage Store Banner 970x90
Breaking News

SP Industrial Launches MEA3FEV0 SSD Series with BiCS5 for Edge AI Computing Alcatel-Lucent Enterprise Unveils Wi-Fi 6E Thermaltake Announces the Divider 370 and 170 TG ARGB Chassis TEAMGROUP Announces the First High-Performance Industrial DDR5 in 5,600MHz TERRAMASTER RELEASES NEW TOS 5 SYSTEM WITH HIGHER SECURITY

logo

  • Share Us
    • Facebook
    • Twitter
  • Home
  • Home
  • News
  • Reviews
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map

Search form

Android Dropper App Infects 45K Devices in Past 6 months

Android Dropper App Infects 45K Devices in Past 6 months

Smartphones Oct 30,2019 0

Symantec has observed a surge in detections for a malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements.

The app, called Xhelper, is persistent. It is able reinstall itself after users uninstall it and is designed to stay hidden by not appearing on the system’s launcher. Symantec said that the app has infected over 45,000 devices in the past six months.

Users have been posing about Xhelper on online forums, complaining about random pop-up advertisements and how the malware keeps showing up even after they have manually uninstalled it.

Xhelper does not provide a regular user interface. The malware is an application component, meaning it won’t be listed in the device’s application launcher. This makes it easier for the malware to perform its malicious activities undercover.

Xhelper can’t be launched manually since there is no app icon visible on the launcher. Instead, the malicious app is launched by external events, such as when the compromised device is connected to or disconnected from a power supply, the device is rebooted, or an app is installed or uninstalled.

Once launched, the malware will register itself as a foreground service, lowering its chances of being killed when memory is low. For persistence, the malware restarts its service if it is stopped; a common tactic used by mobile malware.

Once Xhelper gains a foothold on the victim’s device, it begins executing its core malicious functionality by decrypting to memory the malicious payload embedded in its package. The malicious payload then connects to the attacker’s command and control (C&C) server and waits for commands. To prevent this communication from being intercepted, SSL certificate pinning is used for all communication between the victim’s device and the C&C server.

Upon successful connection to the C&C server, additional payloads such as droppers, clickers, and rootkits, may be downloaded to the compromised device. "We believe the pool of malware stored on the C&C server to be vast and varied in functionality, giving the attacker multiple options, including data theft or even complete takeover of the device," Symantec's Software Engineers said.

Xhelper apps first appeared in March 2019. Back then, the malware’s code was relatively simple, and its main function was visiting advertisement pages for monetization purposes. The code has changed over time. Initially, the malware’s ability to connect to a C&C server was written directly into the malware itself, but later this functionality was moved to an encrypted payload, in an attempt to evade signature detection. Some older variants included empty classes that were not implemented at the time, but the functionality is now fully enabled.

None of the samples that Symantec analyzed were available on the Google Play Store, and while it is possible that the Xhelper malware is downloaded by users from unknown sources, Symantec believes that may not be the only channel of distribution.

Symantec didn't name any phone brands that might be connected to xHelper, but many commenters on Reddit and on Google Play support forums mentioned that they had cheap Chinese-brand phones.

The names tossed around included Coolpad, Doogee, Hurricane Mobile, Jivi, Micromax, Mobell and Tecno, although some better-regarded brands were also mentioned.

The attackers may be focusing on specific brands. However, Symantec believes it to be unlikely that Xhelper comes preinstalled on devices given that these apps don’t have any indication of being system apps. In addition, numerous users have been complaining on forums about the persistent presence of this malware on their devices, despite performing factory resets and manually uninstalling it. Since it is unlikely that the apps are systems apps, this suggests that another malicious system app is persistently downloading the malware, which is something Symantec is currently investigating.

The malware mostly affects users in India, the U.S. and Russia.

Symantec advises users to take the following precautions:

  • Keep your software up to date.
  • Do not download apps from unfamiliar sites.
  • Only install apps from trusted sources.
  • Pay close attention to the permissions requested by apps.
  • Install a suitable mobile security app.
  • Make frequent backups of important data.

Tags: Android malwareandroid
Previous Post
Sonos Offers a 30 Percent Discount for Recycling Old Speakers
Next Post
DJI Unveils Mavic Mini Drone

Related Posts

  • What’s beta than Android 13?

  • HLDS UD Station DVDRW (Preview)

  • Android Gets a New Keyboard for Typing Braille

  • New Opera for Android Offers More Data Savings, New Blockchain-browsing Features

  • Google Explains Why New Huawei Smartphones Don't Come With Google Play Apps

  • Google Play Store is Just Not Completely Safe Yet

  • Microsoft Brings Microsoft Defender ATP to Linux, iOS and Android

  • Android 11 Preview Unveils Privacy and Other Upgrades

H L Data Storage Store Banner 300x600

 

Latest News

SP Industrial Launches MEA3FEV0 SSD Series with BiCS5 for Edge AI Computing
Enterprise & IT

SP Industrial Launches MEA3FEV0 SSD Series with BiCS5 for Edge AI Computing

Alcatel-Lucent Enterprise Unveils Wi-Fi 6E
Enterprise & IT

Alcatel-Lucent Enterprise Unveils Wi-Fi 6E

Thermaltake Announces the Divider 370 and 170 TG ARGB Chassis
Cooling Systems

Thermaltake Announces the Divider 370 and 170 TG ARGB Chassis

TEAMGROUP Announces the First High-Performance Industrial DDR5 in 5,600MHz
Enterprise & IT

TEAMGROUP Announces the First High-Performance Industrial DDR5 in 5,600MHz

TERRAMASTER RELEASES NEW TOS 5 SYSTEM WITH HIGHER SECURITY
Enterprise & IT

TERRAMASTER RELEASES NEW TOS 5 SYSTEM WITH HIGHER SECURITY

Popular Reviews

CeBIT 2005

CeBIT 2005

CeBIT 2006

CeBIT 2006

Zidoo Z9S 4K Media Player review

Zidoo Z9S 4K Media Player review

LiteOn iHBS112 review

LiteOn iHBS112 review

Club3D HD3850

Club3D HD3850

Pioneer BDR-2207 (BDR-207M) BDXL burner review

Pioneer BDR-2207 (BDR-207M) BDXL burner review

External USB Slim Recorders Comparison

External USB Slim Recorders Comparison

Crucial P1 NVMe 1TB SSD review

Crucial P1 NVMe 1TB SSD review

  • Home
  • News
  • Reviews
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map
  • About
  • Privacy
  • Contact Us
  • Promotional Opportunities @ CdrInfo.com
  • Advertise on out site
  • Submit your News to our site
  • RSS Feed