xHelper was a mysterious Android malware that had infected more than 45,000 devices last year. What makes it stand out is that it re-installs itself on infected devices even after users delete it or factory reset their devices which makes it almost impossible to remove.
Since it was discovered, the cybersecurity researchers have been trying to find out how the malware survives factory reset and how it managed to infect numerous devices.
Igor Golovin, malware analyst at Kaspersky published a blog about solving the mystery by revealing the technical details on the persistence mechanism used by this malware. He also worked out how to remove xHelper from an infected device completely.
The malware app disguises itself as a popular cleaner and speed optimization app for smartphones and most of the users affected were from Russia (80.56%), India (3.43%), and Algeria (2.43%).
After getting installed, the ‘cleaner’ disappears and is not found either on the main screen or in the program menu. It can be seen only by checking the list of installed apps in the system settings.
When an unsuspecting user installs it the malicious app registers itself as a foreground service and then extracts an encrypted payload that collects and sends identity information of the targeted device to an attacker-control remote web server.
Next the malicious app executes another unclear payload that triggers a set of Android rooting exploits and tried to attain administrative access to the device’s operating system.
The malware hides in the device and waits for the hacker’s commands. It is found that the malware uses SSL certificate pinning to prevent its communication from being intercepted.
The malware then installs a backdoor that can execute commands as a superuser. The attacker is given total access to all app data and can be used by other malware as well.
On successful attack, the malicious app then abuses root privilege to silently install xHelper by directly copying malicious package files to the system partition (/system/bin folder) after re-mounting it in the write-mode.
All files in the target folders are assigned the immutable attribute, making it tough to delete the malware because the system prohibits even superusers to delete files with this attribute.
It is interesting to note that even though a legitimate security app or affected user could have simply re-mount the system partition to permanently delete the malware file, xHelper also modifies a system library (libc.so) to prevent infected users from re-mounting system partition in the write mode.
Besides, the Trojan downloads and installs many more malicious programs, and deletes root access control applications, such as Superuser.
Kaspersky states that in order to permanently remove xHelper Android malware, the modified library can be replaced with the one from the original firmware for your Android smartphone.
Instead of using such a technique to remove the malware, all affected users are recommended to simply re-flash their backdoored phones with a fresh copy of firmware downloaded from the vendors’ official website or by installing a different but compatible Android ROM.