A mysterious piece of Android malware that re-installs itself on infected devices even after users delete it or factory reset their devices—making it nearly impossible to remove.
xHelper reportedly infected over 45,000 devices last year, and since then, cybersecurity researchers have been trying to unfold how the malware survives factory reset and how it infected so many devices in the first place.
In a blog post published today, Igor Golovin, malware analyst at Kaspersky, finally solved the mystery by unveiling technical details on the persistence mechanism used by this malware, and eventually also figured out how to remove xHelper from an infected device completely.
As the initial attack vector and for distribution, the malware app disguises itself as a popular cleaner and speed optimisation app for smartphones — affecting mostly users in Russia (80.56%), India (3.43%), and Algeria (2.43%).
“But in reality, there is nothing useful about it: after installation, the ‘cleaner’ simply disappears and is nowhere to be seen either on the main screen or in the program menu. You can see it only by inspecting the list of installed apps in the system settings,” Golovin said.
Once installed by an unsuspecting user, the malicious app registers itself as a foreground service and then extracts an encrypted payload that collects and sends identity information of the targeted device to an attacker-control remote web server.
images from Hacker News