Saturday, January 18, 2025
HomeAndroidUnkillable Android XHelper Malware Reinstall Itself Again After Factory Reset

Unkillable Android XHelper Malware Reinstall Itself Again After Factory Reset

Published on

SIEM as a Service

Follow Us on Google News

The Android XHelper malware was first identified in October 2019, it is known for its persistent capabilities.

Once it gets installed to the device, the malware remains active even after the user deletes it and restore the factory settings.

Android XHelper Malware

The malware distributed by threat actors as a popular cleaner and speed-up app for smartphones, but it doesn’t have any cleaner or speed-up functions.

Once the cleaner or a speed-up app gets installed it simply disappears from the main screen or from the program menu.

According to Kaspersky’s study, Trojan’s payload is encrypted in the file /assets/firehelper.jar sends information about the victim device such as (android_id, manufacturer, model, firmware version, etc) to attacker’s server.

From the attacker’s server, it downloads the second malicious module “Trojan-Dropper.AndroidOS.Agent.of” which decrypts payload using the native library.

The next dropper is “Trojan-Dropper.AndroidOS.Helper.b“, which launches “Trojan-Downloader.AndroidOS.Leech.p” for further infection.

Leech.p further downloads “HEUR:Trojan.AndroidOS.Triada.dd” which uses exploits for escalating privileges on the victim’s device.

“Malicious files are stored sequentially in the app’s data folder, which other programs do not have access to. This matryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are known to security solutions,” reads the Kaspersky blog post.

If the victim’s running Android versions 6 and 7 from Chinese manufacturers then XHelper able to escalate privileges and install’s malicious files directly in the system partition.

Android XHelper Malware
Total number of attacks 2019-2020

The malware adds a number of files to the /system/bin folder and added calls to install-recovery.sh which makes Triada run at system startup.

The simplest method to remove is by completely reflashing the phone, using a smartphone infected with xHelper is extremely dangerous.

Some users said that they suppressed Xhelper activity by turning off permissions and locking them using app lock software. Some users said that “tried denying permissions to xHelper without uninstalling, but it turned on all permissions again.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's...

Thousands of PHP-based Web Applications Exploited to Deploy Malware

A significant cybersecurity threat has emerged, threatening the integrity of thousands of PHP-based web...

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...