Symantec has issued an urgent warning to Android users about a new malware threat called xHelper. The malicious application has infected more than 45,000 devices in the past six months and it's virtually impossible to remove - even factory resetting your phone and wiping all your data doesn't help. Here's what you need to know.
xHelper is a highly malicious app that hides itself after installation, then downloads other threats and displays obtrusive ads. According to a Symantec report, the app is able to reinstall itself after being uninstalled by the user and is designed to stay hidden by not appearing on the system’s launcher. To date, over 45,000 Android devices are known to be infected.
Yesterday Service NSW officially launched the Digital Driver Licence (DDL) app for Android and iOS devices statewide. The app, which is free to download, is an electronic version of your existing driver licence.
However, you might want to take a look at the permissions before hitting that install button. According to Google, downloading the app gives Service NSW access to your camera, calendar, storage and "confidential information". Here's what you need to know.
Xhelper can’t be launched manually since there is no app icon visible on the launcher. Instead, the app is launched by external events, such as when the compromised device is connected to or disconnected from a power supply, the device is rebooted, or an app is installed or uninstalled. As Symantec notes, this makes it easier for the malware to perform its malicious activities undetected.
Here's a breakdown of how it operates, courtesy of Symantec:
Once launched, the malware will register itself as a foreground service, lowering its chances of being killed when memory is low. For persistence, the malware restarts its service if it is stopped; a common tactic used by mobile malware.
Once Xhelper gains a foothold on the victim’s device, it begins executing its core malicious functionality by decrypting to memory the malicious payload embedded in its package. The malicious payload then connects to the attacker’s command and control (C&C) server and waits for commands. To prevent this communication from being intercepted, SSL certificate pinning is used for all communication between the victim’s device and the C&C server.
Upon successful connection to the C&C server, additional payloads such as droppers, clickers, and rootkits, may be downloaded to the compromised device.
That last point is especially worrying, as it means bad actors have a range of attacks at their disposal, ranging from covert data theft to the complete takeover of a victim's device.
Currently, Xhelper is being classed as a "work in progress" with the source code mainly targeting users in India, U.S., and Russia. Symantec suspects attackers may be planning a large scale attack once more devices have been infected.
It is not currently known how the Xhelper malware is managing to infiltrate devices. Unlike most malicious apps, it does not appear to have been downloaded by users through the Google Play Store or come preinstalled on devices.
"Since it is unlikely that the apps are systems apps, this suggests that another malicious system app is persistently downloading the malware, which is something we are currently investigating," Symantec said.
How to protect against Xhelper
Naturally, the safest protection against any malware is to use common sense - don't visit dodgy websites on your phone, don't download programs from unknown sources and only sideload apps when it's absolutely necessary. In addition, Symantec suggests the following precautions:
- Keep your software up to date.
- Do not download apps from unfamiliar sites.
- Only install apps from trusted sources.
- Pay close attention to the permissions requested by apps.
- Install a suitable mobile security app to protect your device and data.
- Make frequent backups of important data.<