Xhelper can hide itself from users, download additional malicious apps, and display advertisements.
Researchers at Symantec, observed an increase in detections for Xhelper, and discovered that it has infected over 45,000 devices in the past six months.
Many users have been complaining about Xhelper on various online forms, stating how the malware keeps showing up even after they have manually uninstalled it.
In addition to not providing a regular user interface, the malware is an application component, meaning that it won’t be listed in the device’s application launcher. This then makes it much easier for the malware to perform its activities, without being noticed.
As there is no visible app icon Xhelper cannot be launched manually. However, it is launched by external events such as when the device is rebooted, or when an app is installed or uninstalled.
Symantec explained: “Once launched, the malware will register itself as a foreground service, lowering its chances of being killed when memory is low. For persistence, the malware restarts its service if it is stopped; a common tactic used by mobile malware.”
“Once Xhelper gains a foothold on the victim’s device, it begins executing its core malicious functionality by decrypting to memory the malicious payload embedded in its package. The malicious payload then connects to the attacker’s command and control (C&C) server and waits for commands. To prevent this communication from being intercepted, SSL certificate pinning is used for all communication between the victim’s device and the C&C server.”
Once there is a successful communication to the C&C server, droppers, clickers and other additional payloads can be downloaded to the compromised device.
Xhelper apps first began to appear in March 2019 whereby the malware code was relatively simple and its main role was to visit advertisement pages for the purposes of monetisation. Over time the code has slowly changed.
“None of the samples we analyzed were available on the Google Play Store, and while it is possible that the Xhelper malware is downloaded by users from unknown sources, we believe that may not be the only channel of distribution.”
Symantec did note that the malicious apps were installed more frequently on certain phone brands, thus it can be assumed that the attackers may be focusing on specific brands.
It is estimated that at least 45,000 devices have been impacted by the Xhelper malware, and in the past month an average of 2,400 devices have been consistently infected throughout the period. The majority of affected users are located in the US, India and Russia.
To stay protected, users are advised to only install apps from trusted sources, as well as paying close attention to permissions requested by the apps. Other precautions users can undertake include making frequent backups of important data and installing a suitable mobile security app.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/