Jump to content
Karlston

Nasty Android malware reinfects its targets, and no one knows how

Recommended Posts

Karlston

Nasty Android malware reinfects its targets, and no one knows how

Users report that xHelper is so resilient it survives factory resets.

Nasty Android malware reinfects its targets, and no one knows how

A widely circulating piece of Android malware primarily targeting US-based phones used a clever trick to reinfect one of its targets in a feat that stumped researchers as to precisely how it was pulled off.

 

xHelper came to light last May when a researcher from security firm Malwarebytes published this brief profile. Three months later, Malwarebytes provided a deeper analysis after the company’s Android antivirus app detected xHelper on 33,000 devices mostly located in the US, making the malware one of the top Android threats. The encryption and heavy obfuscation made analysis hard, but Malwarebytes researchers ultimately concluded that the main purpose of the malware was to act as a backdoor that could remotely receive commands and install other apps.

 

On Wednesday, Malwarebytes published a new post that recounted the lengths one Android user took to rid her device of the malicious app. In short, every time she removed two xHelper variants from the device, the malware would reappear on her device within the hour. She reported that even performing a factory reset wasn't enough to make the malware go away.

Blind alleys

Company researchers initially suspected that pre-installed malware was the culprit. They eventually dropped that theory after the user performed a technique that prevented system apps from running. Malwarebytes analysts later saw the malware indicating that Google Play was the source of the reinfections, but they ruled out this possibility after further investigation.

 

Eventually (and with the help of the Android user), company researchers finally identified the source of the reinfections: several folders on the phone that contained files that, when executed, installed xHelper. All of the folders began with the string com.mufc. To the researchers’ surprise, these folders weren’t removed even though the user performed a factory reset on the device.

 

“This is by far the nastiest infection I have encountered as a mobile malware researcher,” Malwarebytes’ Nathan Collier wrote in Wednesday’s post. “Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware.”

mufc-folders1.jpeg
mufc-folders2.jpeg
Malwarebytes

Hidden inside a directory named com.mufc.umbtts was an Android application package, or APK, that dropped an xHelper variant. The variant, in turn, dropped more malware within seconds. And with that, xHelper once again menaced the user’s device. The user finally rid her device of the malware after using an Android file manager to delete the mufc folders and all their contents. Because the malware was somehow identifying Google Play as the source of the reinfection, Collier recommends people in a similar position disable the Google Play Store app before removing the folders.

 

Collier still isn’t sure how the mufc folders came to reside on the phone in the first place or why they weren’t deleted during factory reset. In October, security firm Symantec also reported that users were complaining that factory resets didn’t kill xHelper, but company researchers were also unable to explain why. One theory, Collier said, is that an xHelper variant installed the folders and made them appear as an SD card that wasn’t affected by the factory reset (the user reported that her device didn’t have an SD card).

 

“I was under the assumption that files/directories were removed after a factory reset, but this proves that some things can be left over,” Collier wrote in an email. “There are still a lot of unknowns with this one. We’re just glad to have a resolution for our customers who may be struggling with this infection.”

 

 

Source: Nasty Android malware reinfects its targets, and no one knows how (Ars Technica)  

Share this post


Link to post
Share on other sites
Edward Raja

Another way to remove that kind of malware will be through ADB and recovery menu, but that would be for advanced users.

I did this before on my cousin's Asus Zenfone 5 LTE.

Share this post


Link to post
Share on other sites
Akaneharuka

@Edward Raja Hey Edward I have a little bit of topic question.

Do you know the adb command that can remove the google youtube app ? I don`t want it on my phone anymore :( .

Share this post


Link to post
Share on other sites
Edward Raja
13 minutes ago, Akaneharuka said:

@Edward Raja Hey Edward I have a little bit of topic question.

Do you know the adb command that can remove the google youtube app ? I don`t want it on my phone anymore :( .

refer this tutorial:

https://www.xda-developers.com/uninstall-carrier-oem-bloatware-without-root-access/

https://forum.xda-developers.com/android/general/uninstall-apps-via-adb-t3738105

just a warning though, uninstalling system applications can be dangerous so please know what you’re getting rid of before you complete these steps. Failing to do so could result in your phone becoming unusable until you perform a factory reset. Of course, by removing any given system application, another system application that may depend on it may also break so be careful what you remove. But if something does go wrong, you can always perform a factory reset to bring things back to the way they were. 

but if you think it is complicated, just disable it instead of removing.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...