Thousands infected with malware that 'reinstalls itself'

There's been a surge in the number of Android devices infected with a malicious app that can hide from the launcher, download other malware, and reinstall itself after it's removed.

Xhelper is a "persistent" malware that remains on Android devices even after users uninstall it manually, researchers have warned, with at least 45,000 machines affected since infections were first seen in March.

The attack mechanism used, and the pool of malware stored on its command and control (C&C) server, means the cyber criminals behind Xhelper can execute a range of functions. These can range from data theft to complete takeover of a device.

Xhelper's code was simple when first seen in the wild, with its main functions centred on taking users to ad pages in order to monetise.

The malware has grown more sophisticated with time, however, with the ability to connect to its C&C server now coming in the form of an encrypted payload, for instance. This has been done in an attempt to evade detection.

"We strongly believe that the malware's source code is still a work in progress," Symantec software engineer May Ying Tee said.

"For example, we spotted many classes and constant variables labeled as 'Jio'.

"These classes are unimplemented for now but we suspect that the attackers may be planning to target Jio users at a future date (Reliance Jio Infocomm Limited, also known as Jio, is the largest 4G network in India, with more than 300 million subscribers)."

Xhelper does not have a conventional user interface (UI) and is instead an application component, which means it won't be listed in an infected device's app launcher. It can't also be launched manually, given there's no app icon.


Thousands infected with malware that 'reinstalls itself'

More than 45,000 Android devices have been affected by the Xhelper malware since March


The app is launched by certain external events, such as when a device is connected to the power supply, if the device is rebooted, or if an app is installed or uninstalled.

Once launched, Xhelper registers itself as a foreground service, which lowers the chances that it's closed when users try to save memory. If it is shut down, the app simply restarts itself.

From this point, Xhelper downloads and decrypts a malicious payload that allows connection with the C&C server, before waiting for commands. Additional payloads may then be downloaded, including droppers, clickers and rootkits.

From the samples analysed, researchers learned that Xhelper was not sourced from the Google Play Store, and that it was also installed more frequently on certain phone brands. There are no suggestions that it comes preinstalled on devices, however.

As for why Xhelper keeps reinstalling itself, it's unlikely the malicious apps are system apps, meaning there may be another malicious system app that's persistently downloading the malware. This is an area Symantec researchers are currently probing.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.