Jump to content

Nasty Android malware reinfects its targets, and no one knows how


Karlston

Recommended Posts

Nasty Android malware reinfects its targets, and no one knows how

Users report that xHelper is so resilient it survives factory resets.

Nasty Android malware reinfects its targets, and no one knows how

A widely circulating piece of Android malware primarily targeting US-based phones used a clever trick to reinfect one of its targets in a feat that stumped researchers as to precisely how it was pulled off.

 

xHelper came to light last May when a researcher from security firm Malwarebytes published this brief profile. Three months later, Malwarebytes provided a deeper analysis after the company’s Android antivirus app detected xHelper on 33,000 devices mostly located in the US, making the malware one of the top Android threats. The encryption and heavy obfuscation made analysis hard, but Malwarebytes researchers ultimately concluded that the main purpose of the malware was to act as a backdoor that could remotely receive commands and install other apps.

 

On Wednesday, Malwarebytes published a new post that recounted the lengths one Android user took to rid her device of the malicious app. In short, every time she removed two xHelper variants from the device, the malware would reappear on her device within the hour. She reported that even performing a factory reset wasn't enough to make the malware go away.

Blind alleys

Company researchers initially suspected that pre-installed malware was the culprit. They eventually dropped that theory after the user performed a technique that prevented system apps from running. Malwarebytes analysts later saw the malware indicating that Google Play was the source of the reinfections, but they ruled out this possibility after further investigation.

 

Eventually (and with the help of the Android user), company researchers finally identified the source of the reinfections: several folders on the phone that contained files that, when executed, installed xHelper. All of the folders began with the string com.mufc. To the researchers’ surprise, these folders weren’t removed even though the user performed a factory reset on the device.

 

“This is by far the nastiest infection I have encountered as a mobile malware researcher,” Malwarebytes’ Nathan Collier wrote in Wednesday’s post. “Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware.”

mufc-folders1.jpeg
mufc-folders2.jpeg
Malwarebytes

Hidden inside a directory named com.mufc.umbtts was an Android application package, or APK, that dropped an xHelper variant. The variant, in turn, dropped more malware within seconds. And with that, xHelper once again menaced the user’s device. The user finally rid her device of the malware after using an Android file manager to delete the mufc folders and all their contents. Because the malware was somehow identifying Google Play as the source of the reinfection, Collier recommends people in a similar position disable the Google Play Store app before removing the folders.

 

Collier still isn’t sure how the mufc folders came to reside on the phone in the first place or why they weren’t deleted during factory reset. In October, security firm Symantec also reported that users were complaining that factory resets didn’t kill xHelper, but company researchers were also unable to explain why. One theory, Collier said, is that an xHelper variant installed the folders and made them appear as an SD card that wasn’t affected by the factory reset (the user reported that her device didn’t have an SD card).

 

“I was under the assumption that files/directories were removed after a factory reset, but this proves that some things can be left over,” Collier wrote in an email. “There are still a lot of unknowns with this one. We’re just glad to have a resolution for our customers who may be struggling with this infection.”

 

 

Source: Nasty Android malware reinfects its targets, and no one knows how (Ars Technica)  

Link to comment
Share on other sites


  • Replies 7
  • Views 954
  • Created
  • Last Reply

Another way to remove that kind of malware will be through ADB and recovery menu, but that would be for advanced users.

I did this before on my cousin's Asus Zenfone 5 LTE.

Link to comment
Share on other sites


@Edward Raja Hey Edward I have a little bit of topic question.

Do you know the adb command that can remove the google youtube app ? I don`t want it on my phone anymore :( .

Link to comment
Share on other sites


13 minutes ago, Akaneharuka said:

@Edward Raja Hey Edward I have a little bit of topic question.

Do you know the adb command that can remove the google youtube app ? I don`t want it on my phone anymore :( .

refer this tutorial:

https://www.xda-developers.com/uninstall-carrier-oem-bloatware-without-root-access/

https://forum.xda-developers.com/android/general/uninstall-apps-via-adb-t3738105

just a warning though, uninstalling system applications can be dangerous so please know what you’re getting rid of before you complete these steps. Failing to do so could result in your phone becoming unusable until you perform a factory reset. Of course, by removing any given system application, another system application that may depend on it may also break so be careful what you remove. But if something does go wrong, you can always perform a factory reset to bring things back to the way they were. 

but if you think it is complicated, just disable it instead of removing.

Link to comment
Share on other sites


  • 3 weeks later...

Android trojan xHelper can reinstall itself after removal and factory reset

 

While xHelper can be removed by antivirus software, it will soon reinstall itself. (Image via Malwarebytes forum user Amelia)

 

 

It seems that there’s always a new piece of malware wreaking havoc in the Android world. Oftentimes, a quick virus scan or factory reset will delete the malicious app and eliminate the threat. However, there is a relatively new trojan that has been able to evade most antivirus measures and reinstall itself, even after a factory reset. 

 

The xHelper trojan, which was discovered in early 2019. The trojan is a rudimentary piece of malware that mainly uses the infected device’s resources to visit ad pages in order to generate revenue. This, in turn, hogs system resources and can rack up data usage, a particularly poignant problem for those on restricted or metered connections. 

 

The biggest problem with xHelper is the sneaky way in which it persists. Upon installation, the trojan buries a dropper deep in the Android file system that is largely ignored by antivirus checks. Even worse, the dropper persists even after a factory reset. The dropper will then reinstall the trojan and drop more malware before uninstalling itself to remain hidden. 

 

While the exact mechanics of how xHelper works are still not fully known, Malwarebytes has devised a plan of action to permanently remove the trojan. If you suspect your device of being infected by xHelper, run a virus scan with any reputable antivirus software. If xHelper pops up, Malwarebytes suggests you follow these steps (from the Malwarebytes blog). Note: these steps were devised with the help of a Malwarebytes forum user by the name of Amelia.

 

Source

 

 

 

Link to comment
Share on other sites


Fascinating, how it reinstall itself a factory reset. Maybe the developer should learn from it, the mechanism, and make rooting procedure available for most stubborn device. I wonder if it would do what i it is notorious for, on Samsung Snapdragon devices. 

Link to comment
Share on other sites


5 minutes ago, xkryptonx said:

Fascinating, how it reinstall itself a factory reset. Maybe the developer should learn from it, the mechanism, and make rooting procedure available for most stubborn device. I wonder if it would do what i it is notorious for, on Samsung Snapdragon devices. 

Yeah, really!

How it reinstall itself a factory reset is very perplexing for me too.

Hope, more learned colleagues out here throw some light on this never heard before phenomenon.

Link to comment
Share on other sites


Similar topic merged from Mobile News.

 

(Security news belongs here)

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...