Researchers Found The Secret Of 'xHelper', The Unkillable Android Malware

Android trojan

With the literally unlimited ways people can program computers, there are always two sides of a coin.

One one side, developers create software for the greater goods. They create solutions to tackle existing problems. On the other side, there are developers who wish to exploit existing demands, by creating software for malicious purposes.

As for the latter, there are many that have been found on the popular Android platform.

And one of the most dangerous, is the 'xHelper', which confused researchers because the malware is somehow 'unkillable'.

This xHelper first appeared in October 2019.

At that time, researchers found that the Android malware can hide itself, and reinstall itself whenever removed. This makes it persistent, even after a factory reset.

After seeing the malware infecting tens of thousands of devices, analysts still did not know how it works.

Share of Kaspersky users attacked by the xHelper in the total number of attacks, 2019-2020
Share of Kaspersky users attacked by the xHelper in the total number of attacks, 2019-2020. (Credit: Igor Golovin/Kaspersky Lab)

The malicious Android malware comes as apps that pose as performance enhancer to remove old and unneeded files.

When installed, xHelper removes installed all-root related apps on victim's device, modifies Android libraries to prevent the mounting of the system partition for writing in any conditions, and set attributes to xHelper files to be non-removable.

It then installs a backdoor to remotely installs apps downloaded from an attacker-controlled server.

It also executes commands as a superuser, a leveraged its increased privilege that gives it the ability to compromise deep into the Android system.

This way, it can create access to sensitive data, including browser cookies used to sign in to sites. And once the backdoor is installed, the fake cleaner app disappears from the main screen and program menu and can only be viewed by inspecting the list of installed apps in the system settings.

The most interesting thing about xHelper is that, it is able to install itself on the victim device's system partition.

In normal Android operating mode, system partition is read-only. What this means, it's not possible to remove xHelper files during traditional smartphone use. What's more, the malware's components are camouflaged and hidden somewhere between system files necessary for Android to run, none of which is removed during a factory reset.

Because of this, the trojan dropper can reinstall xHelper in the event of a reset.

These are the traits that make the malware impossible to remove without taking unusual measures.

Researchers have yet to know how precisely the xHelper's folder got on infected phones, or why the file was undetectable by antivirus solutions.

But later, Kaspersky Lab researcher Igor Golovin published a blog post that shone some light into the situation.

He said that the files were downloaded and installed by a notorious trojan called Triada, which was executed once the xHelper app was installed. It is this Triada malware that roots the devices, and leveraged its increased privilege to install a series of malicious files directly into the Android read-only system partition.

Triada does this by first remounting the system partition in write mode.

To make the installed files even more persistent, Triada gives them an immutable attribute, which prevents anyone from deleting them, even by superusers.

Golovin described this as an “unkillable” infection that has extraordinary control over a device.

xHelper downloading Triada trojan
The xHelper malware downloading the Triada trojan. (Credit: Igor Golovin/Kaspersky Lab)
"It is very easy to get infected by xHelper."

"Devices that are attacked by this malware could lack OS security fixes and stay vulnerable for rooting and installing this kind of malware. Moreover, it’s very hard for users to remove this malware once it is installed. This means the user base of xHelper can rapidly grow and xHelper can stay active on attacked devices for a long time."

The researcher initially thought that it might be possible to remove xHelper by remounting the system partition in write mode to then delete the malicious files stored there. Golovin eventually abandoned that theory.

"Triada’s creators also contemplated this question, and duly applied another protection technique that involved modifying the system library /system/lib/libc.so," Golovin explained. "This library contains common code used by almost all executable files on the device. Triada substitutes its own code for the mount function (used to mount file systems) in libc, thereby preventing the user from mounting the /system partition in write mode."

People can remove xHelper by using their device's recovery mode, when available, to replace the infected libc.so file with the legitimate one included in the original firmware. Users can then either remove all malware strain from the system partition or, reflash the device.

But for the latter, Golovin say that it may not be the best of solutions, since many Android images for cheap Android phones from China are already equipped with an “add-on” that when mounted, will download xHelper, and repeat the process.

What this means, the only real way to eliminate this malware from an infected phone, is to flash that phone with a more secure ROM (if one is even available), or replace the phone.

Fortunately, the reinfection method was found primarily on devices running older versions of Android (6 Marshmallow and 7 Nougat).

Estimates for the number of affected phones infected by the xHelper malware previously ranged from 33,000 to 45,000. But again, only devices running older, less secure versions of Android should be more susceptible to the malware.

Published: 
20/04/2020