Factory reset to remove Android malware? Not with this one.

[Murasaki]

Source: zdnet 

https://www.zdnet.com/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/

 

Additional source for more in depth analysis of the malware:

https://www.symantec.com/blogs/threat-intelligence/xhelper-android-malware

 

An allegedly "new" malware named "xhelper" which targets Android devices has earned a reputation of "near impossible to remove" even after an infected device is factory reset.

Quote

this malware was first spotted back in March but slowly expanded to infect more than 32,000 devices by August (per Malwarebytes), eventually reaching a total of 45,000 infections this month (per Symantec).

The malware is on a clear upward trajectory. Symantec says the xHelper crew is making on average 131 new victims per day and around 2,400 new victims per month. Most of these infections have been spotted in India, the US, and Russia.

Quote

According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.

Thankfully this trojan doesn't do any real harm, just annoys you with some popups. 

Spoiler

Quote

The good news is that the trojan doesn't carry out destructive operations. According to both Malwarebytes and Symantec, for most of its operational lifespan, the trojan has shown intrusive popup ads and notification spam. The ads and notifications redirect users to the Play Store, where victims are asked to install other apps -- a means through which the xHelper gang is making money from pay-per-install commissions. 

But simply uninstalling the app won't get rid of these. 

Quote

Uninstalling the original app won't remove xHelper, and the trojan will continue to live on users' devices, continuing to show popups and notification spam.

"Unremovable" 

Furthermore, even if users spot the xHelper service in the Android operating system's Apps section, removing it doesn't work, as the trojan reinstalls itself every time, even after users perform a factory reset of the entire device.

Quote

In a blog post published today, Symantec said the trojan is in a constant evolution, with new code updates being shipped out on a regular basis, explaining why some antivirus solutions manage to remove xHelper in some instances, but not later versions.

While this thing doesn't look intimidating for what it does on the surface, it sure sets an example of persistence and potential for more serious means in the future. Its like a cockroach that can survive a nuclear blast. Pain in the assssssss.. 

[Cyberspirit]

You could just re-flash the firmware and get rid of it that way, right? 

 

Also, I feel like this Trojan might become a bigger problem down the line when they realize they could steal data with it. 

[Murasaki]

34 minutes ago, Cyberspirit said:

You could just re-flash the firmware and get rid of it that way, right? 

Nothing mentions reflashing as a solution, just AV shenanigans. It does sound like a logical solution but to whoever isn't tech savvy it's not gonna be a fun day. 

[dfsdfgfkjsefoiqzemnd]

17 minutes ago, huilun02 said:

Just flash the stock firmware...

Sure, but that would require the manufacturer actually releasing it.  Otherwise you'd have to send your phone back to them every time and pay all the fees associated with that "repair".

 

Also, good luck getting Joe Average to figure out what firmware to get.  Hell, even I am struggling with that issue right now and I've been putting custom ROMs on my phones for the better part of a decade. 

[germgoatz]

lol a couple weeks ago i kept getting redirected to random websites no matter what website i was on

 

uh oh

[rcmaehl]

2 hours ago, Cyberspirit said:

Also, I feel like this Trojan might become a bigger problem down the line when they realize they could steal data with it. 

They're already dropping other malware on infected devices, ergo trojan. Wouldn't be surprised if one of the other malware installs is keylogging or stealing files.

[Bacon soup]

I hope my wife's boyfirend doesn't catch this. He is always getting infected with something.

[Flying Sausages]

I have a feeling a similar behavior trojan to this trojan will appear on Windows, Linux, and MacOS in the future.

[Zodiark1593]

4 hours ago, huilun02 said:

Just flash the stock firmware...

By firmware, do you mean the OS, or the bootloader/recovery!

[Bacon soup]

1 hour ago, Tegos said:

Does MacOS even have these kinds of problems? I always tought it didn't.

Time to throw away that way of thinking. There is money to made from trojans and ransomware on all systems.

[vorticalbox]

32 minutes ago, Bacon soup said:

Time to throw away that way of thinking. There is money to made from trojans and ransomware on all systems.

Personal I'm waiting for a chromeOS malware to come out, getting remote access to the juicy education networks. 

[Bacon soup]

2 minutes ago, vorticalbox said:

Personal I'm waiting for a chromeOS malware to come out, getting remote access to the juicy education networks. 

I'm sure a lot of people will get screwed over when locked out of their google accounts. There is a new app idea. One that downloads all google docs and emails to an incremental backup; if it doesnt already exist.

[Guest]

Surely with an Android you’d just buy another one?

[FakeNSA]

11 minutes ago, floofer said:

Surely with an Android you’d just buy another one?

Please tell me you are joking. 
The current worlds most expensive phone is an android. 

[Murasaki]

On the next episode of TronicsFix: I bought 20 infected paperweight android phones, can i make a profit?

[Rohith_Kumar_Sp]

8 hours ago, Murasaki said:

Source: zdnet 

https://www.zdnet.com/google-amp/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/

Please stop using google amp links 
here's a non amp link 
https://www.zdnet.com/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/

[Murasaki]

2 minutes ago, Rohith_Kumar_Sp said:

Please stop using google amp links 
here's a non amp link 
https://www.zdnet.com/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/

I made this post from my phone SORRY. Fixed it.

[vanished]

8 hours ago, Cyberspirit said:

You could just re-flash the firmware and get rid of it that way, right? 

 

Also, I feel like this Trojan might become a bigger problem down the line when they realize they could steal data with it. 

Ah the joys of locked down simplified devices and the walled garden approach in general.  On a device you can actually control, like a desktop PC or the shield tablet, this would be trivial and I suspect would likely work.  Of course this is not possible or at least not easy on many phones.  They think locking things down keeps users safe but really it just cripples their ability to fix issues.  You reap what you sow...

 

This is why I'm also always a bit weary of "factory resets".  The concept has never give  me confidence that it's as full and complete as it seems and this would seem to confirm that concern.

 

2 hours ago, Zodiark1593 said:

By firmware, do you mean the OS, or the bootloader/recovery!

All of it.

 

3 hours ago, OlympicAssEater said:

I have a feeling a similar behavior trojan to this trojan will appear on Windows, Linux, and MacOS in the future.

Malware that can hide in the firmware of hardware like a HDD is known to exist but it's generally used by governments against other governments and people they don't like, not really a thing ever normally seen in the wild afaik.  With PCs, a format is all you need to be rid of everything.  I would be interested in seeing a test though comparing a true format to the built in Windows factory reset option.  It might have the same issue if the recovery partition can become infected.

[Salv8 (sam)]

10 hours ago, Cyberspirit said:

You could just re-flash the firmware and get rid of it that way, right? 

it's not that easy on android devices, manufactures make it hard, samsung's is the easiest since they have a tool that does it for you over a USB connection.

and on some devices (such as the google nesux 5x), it can lose secure boot even if you flash the OEM rom since it's detected that it's been flashed in a unofficial environment.

secure boot basically stops non-system apps from inserting code at boot up in order to gain system (root) access to the entire device.

[Arika]

Much like a regular computer, if you're installing shit that some shady website tells you to download and how to get around the built in protection, then you deserve everything that comes from it

[vanished]

5 minutes ago, Arika S said:

Much like a regular computer, if you're installing shit that some shady website tells you to download and how to get around the built in protection, then you deserve everything that comes from it

Yeah that's important to remember - this isn't particularly dangerous in any way as it relies on tricking people to go through a large number of what should be obviously bad actions.  It's not like you're gonna pick this up by accident

[mr moose]

3 hours ago, floofer said:

Surely with an Android you’d just buy another one?

Google, samsung, lenovo, HTC, nokia, oppo, hauwisiwiaiwei, and the 500 others don't want to fix your malware problems, they want to you to buy another phone... 

 

[Kisai]

11 hours ago, Cyberspirit said:

You could just re-flash the firmware and get rid of it that way, right? 

 

Also, I feel like this Trojan might become a bigger problem down the line when they realize they could steal data with it. 

In theory yes.

 

In practice, it depends if the firmware flash wipes out the user storage or not. Most OS updates do not do this. You need to get the original shipped firmware first.

[Master Disaster]

I'm guessing it uses the cache area to save a copy of itself that doesn't get removed during a system reset.

 

Good job it's very easy to clear out both the standard cache and dalvik cache areas, though it does require rooting.

[Master Disaster]

3 minutes ago, Kisai said:

In theory yes.

 

In practice, it depends if the firmware flash wipes out the user storage or not. Most OS updates do not do this. You need to get the original shipped firmware first.

Yeah, it's called a dirty flash or a clean flash.

 

Dirty keeps user data intact, clean removes everything and starts from scratch though even a clean flash doesn't clean out the cache automatically.