Xhelper: Android Dropper Which Infected 45k Devices in Six Months

  • Xhelper is a particularly persistent malware dropper and ad clicker.
  • People report that it is almost next to impossible to remove from their phones.
  • The app is downloaded from largely unknown and untrusty sources.

According to a report by Symantec, there’s a malicious app called “Xhelper” which has infected 45k devices over the past six months. Symantec has recently detected a surge in its activity, which mainly entailed the downloading of malicious applications as well as the serving of obnoxious advertisements. As is usually the case with such apps, Xhelper remains hidden after its installation, without an icon on the system’s launcher being created. This way, the users may never realize where the ads are coming from, or at least not realize it before the actors make some money out of the operation.

Xhelper doesn’t provide a user interface either, can’t be launched manually, and generally doesn’t want or need to interact with the user. Instead, it is launched when the power supply is connected or disconnected, when the device is rebooted, and when an app is installed or uninstalled. Xhelper is even registering itself as a foreground service so that it won’t be killed when the device is low on memory. Even if something stops its operation, the malware gets automatically restarted after a short period, showing a remarkable persistence.

Source: Symantec Blogs

All communications between the malware and its C&C server are done under SSL certificate pinning, so they are harder to intercept. The C2 provides commands, additional payloads, rootkits, and all things nasty in general. Xhelper’s code was improved over the months, after the first samples appeared in March 2019. As for the download sources, Google Play Store had removed it quite a while back, so people can only download it from unknown sources and untrustworthy channels of distributions. Symantec also reports that Xhelper showcases a remarkable capability to remain in the device even after factory resets, which indicates the serious possibility of dealing with a supply chain attack.

To stay protected against this malware, which is now infecting 131 devices per day, avoid installing anything from anywhere else other than the official Play Store. If you find an app with the name “Android.Malapp” on your device, you’re infected with the Xhelper, so you’ll need to remove it. If manual removal fails, and if a factory reset doesn’t do the trick either, try using a mobile security app from a reputable vendor. Finally, keep your system and apps up to date, and pay close attention to what permissions are requested by each and every one of them.

Did you find Xhelper on your device? Any idea where it might have came from? Let us know in the comments section down below or on our socials, on Facebook and Twitter.