December 5, 2020

xHelper Android malware can be automatically installed after factory reset

2 min read

An Android malware “xHelper” is rapidly spreading. Once infected with this malware, even if the victim deletes or forcibly restores the factory settings of the system, “xHelper” can reinstall on the infected device.

It is reported that this malware was first discovered by the Symantec research team in October 2019, and then it infected more than 45,000 Android devices in only six months and is still spreading rapidly. At the time, the security company Symantec estimated that the Xhelper malware infected at least 2,400 devices per month on average. The main infected users may come from Russia, India and the United States.

xHelper malware
Image: Malwarebytes

Currently, Kaspersky Lab ’s security experts have provided detailed information about the malware ’s capabilities and the persistence mechanism implemented by the malicious code. At the same time, the researchers also provide measures to remove xHelper from the infected device. It is understood that the malware was distributed as a popular mobile device cleaning and speed optimization application, Kaspersky reported that in fact, most infections occurred in Russia (80.56%), India (3.43%) and Algeria (2.43%).

Kaspersky experts also said that the firmware of smartphones will also be affected by xHelper, so in this case, simply refreshing the mobile phone system is meaningless. At the same time, the malware installs a backdoor program, and the intruder can execute commands as a superuser, so the intruder has full access to all application data.

Researcher writes:

But if you have Recovery mode set up on your Android smartphone, you can try to extract the libc.so file from the original firmware and replace the infected one with it, before removing all malware from the system partition. However, it’s simpler and more reliable to completely reflash the phone.