Android's Unremovable Malware Infects 40,000 plus phones So Far


Secure Android

It's not common for Android phone users to be target of malware of which is hardly suprising that there are more than 2 billion plus active Android devices out there. Remeber that cyber criminal will always follow the money. The more users are available the more opportunity to infect.

On 26th of August 2019, I wrote about the Ransomware: Prevent your computer from being infected, and that wasn't funny in any sense of the word. However, an even more seriously worrying bit of Android malware has been confirmed by security researchers from Symantec: it’s all but impossible to remove. With 40,000 plus Android devices already infected, a total that increases every day, the unremovable malware can even "survive" a factory reset.

What is this Android's unremovable malware?
According to Symantec security researchers, the Xhelper Android Trojan is not only stealthy but also prolific. A Symantec report stated that the security company has "observed a surge in detections," of the malware that can both hide from users and download additional malicious apps. The most concerning aspect of Xhelper, though, is that it is persistent. How persistent you may be wondering? "It is able reinstall itself after users uninstall it," the researchers said, adding that the malware keeps reappearing even after users have manually uninstalled it. What's more, according to the research report, even a full factory reset cannot stop Xhelper from reappearing.

What does the Xhelper Android malware do?
Xhelper itself is hidden from the Android device launcher as it is an application component, so making it easier to go undetected. It is launched by external events, including connecting the device to a power supply and installing an app.

Once launched, the malware will register itself as a foreground service lowering its chances of being killed when memory is low. Indeed, it would appear that it also restarts the service automatically should it be stopped, to add to the persistent nature of the beast.

The malicious payload that Xhelper unleashes will connect to a command and control server to wait for further orders. This communication is also hidden from the user and their security software by using SSL certificate pinning to prevent interception. Those "further orders" include serving up additional payloads such as malware droppers and rootkits to enable complete takeover of the infected device.

How can Xhelper survive a factory reset?
The biggest puzzle from the security perspective, at least as far as I am concerned, is how any malware can survive a factory reset. After all, unless it was part of the smartphone firmware, a factory reset would vape it into oblivion.

The Symantec report appears to remove this possibility as it stated: "We believe it to be unlikely that Xhelper comes preinstalled on devices given that these apps don’t have any indication of being system apps." The most likely explanation given in the report is that another separate app is persistently downloading the malware.

Malware reinstall itself by another malware hence giving the perception of surving the factory reset.

How can you prevent your Android device from being infected?
It's bad security practices that put the user straight back into trouble again if users are reinstalling the same apps as before the factory reset, including those from sources other than the official Google Play Store.

This highlights the risk of installing apps outside of official app stores. I do recommend that anyone should only install apps via the official app stores unless you know for certain the validity of the app in question. Unless you absolutely trust the developer of specific or respective app, Android users should stick with apps on the Play Store, which have been vetted by Google. Of course, bad apps do get into the Play Store as well, but it does lower the odds of you installing such a malicious application.

For now, that's the best advice you are going to get. The Symantec researchers believe that the malware code is still a work in progress and there are more tricks yet to be revealed.

Read more publications or articles here.

Connect with author on: LinkedIn | Facebook | Twitter | InstaGram | Snapchat | Telegram

Opinion Press Release Publications Reports Research / Study

Additonal Toursim Resources
African Nova Scotian Directory - Google Local Guide
African Nova Scotian Tourism Guide
Africville Story Map
Destination Liberty: Your guide to Black Historic Travel Destinations in Nova Scotia
Historical Black Settlements in Nova Scotia (Google Map)
Jamaican Maroons in Halifax: A Black Canadian History Guide
Nova Scotia Toursim: Discover African Nova Scotia

Download our App

Use your location to explore