“Undeletable” Xhelper malware infected more than 45 thousand Android devices
The largest number of infected devices was observed in India, the USA and Russia.
Over the past few months, thousands of Android device users have been the victims of a new malware called Xhelper. The program hides on infected devices and is able to reinstall itself even after deleting or resetting the settings to factory defaults on the device.
Xhelper is a component of the application and does not provide a normal user interface. It does not appear on the application launcher. The malware is triggered by external events initiated by the user, for example, connecting / disconnecting from the power source, rebooting the phone or installing applications. Once launched, the malware is registered as the main service, thereby reducing the risk of shutdown due to low memory. Having infected the victim’s device, Xhelper decrypts the malicious payload into memory. This module connects to the C&C server of the attacker and waits for a command. After successfully connecting to the C&C server, additional malicious modules, such as droppers, clickers and rootkits, can be downloaded to the compromised device.
Researchers were unable to determine the distribution channels of the malware. Since the Google Play Store could not detect malware, experts believe that Xhelper can be downloaded from unknown sources or using a malicious system application preinstalled on some smartphones