Unkillable Android XHelper Malware Reinstall Itself Again After Factory Reset

The Android XHelper malware was first identified in October 2019, it is known for its persistent capabilities.

Once it gets installed to the device, the malware remains active even after the user deletes it and restore the factory settings.

Android XHelper Malware

The malware distributed by threat actors as a popular cleaner and speed-up app for smartphones, but it doesn’t have any cleaner or speed-up functions.

Once the cleaner or a speed-up app gets installed it simply disappears from the main screen or from the program menu.

According to Kaspersky’s study, Trojan’s payload is encrypted in the file /assets/firehelper.jar sends information about the victim device such as (android_id, manufacturer, model, firmware version, etc) to attacker’s server.

From the attacker’s server, it downloads the second malicious module “Trojan-Dropper.AndroidOS.Agent.of” which decrypts payload using the native library.

The next dropper is “Trojan-Dropper.AndroidOS.Helper.b“, which launches “Trojan-Downloader.AndroidOS.Leech.p” for further infection.

Leech.p further downloads “HEUR:Trojan.AndroidOS.Triada.dd” which uses exploits for escalating privileges on the victim’s device.

“Malicious files are stored sequentially in the app’s data folder, which other programs do not have access to. This matryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are known to security solutions,” reads the Kaspersky blog post.

If the victim’s running Android versions 6 and 7 from Chinese manufacturers then XHelper able to escalate privileges and install’s malicious files directly in the system partition.

The malware adds a number of files to the /system/bin folder and added calls to install-recovery.sh which makes Triada run at system startup.

The simplest method to remove is by completely reflashing the phone, using a smartphone infected with xHelper is extremely dangerous.

Some users said that they suppressed Xhelper activity by turning off permissions and locking them using app lock software. Some users said that “tried denying permissions to xHelper without uninstalling, but it turned on all permissions again.”

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.