skip to Main Content
Xhelper Malware

Xhelper: «Unremovable» Malicious Android Dropper App Infects 45K Devices

A new malicious Android dropper app has infected 45,000 devices in the past six months. The malicious app keeps reinstalling itself and possesses features that could be used to deploy second-stage malware payloads. These second-stage malware payloads are often full of tricks and dangerous capabilities, such as;

  • Being able to steal user information with overlay attacks
  • Keylogger
  • Screen readers
  • Ransomware
  • SMS interception to bypass 2-factor authentication
  • RAT

Named Xhelper, the malicious dropper app was first spotted back in March but has now expanded to infect a total of 45,000 devices. According to Symantec, most of the infections have been spotted in India, the United States, and Russia. The malware is also reported to be on a clear upward trajectory. Symantec says the Xhelper crew is making on average 131 new victims per day and around 2,400 new victims per month.

Multiple Options for Attacks

Xhelper is an application component, making it easier for malware to perform malicious activities undercover. The malicious app is launched by external events, such as when the compromised device is connected to a power supply, the device is rebooted, or an app is installed. Once Xhelper gains a foothold on the victim’s device, it begins executing its core malicious functionality by decrypting to memory the malicious payload embedded in its package, Symantec reports on its Threat Intelligence Blog.

The payload then connects to the attacker’s command and control (C&C) server and waits for a command. To prevent communication from being intercepted, SSL certificate pinning is used for all communication between the victim’s device and the server.

Upon successful connection to the C&C server, payloads including droppers, clickers, and rootkits may be downloaded to the compromised device. Symantec highlights that the pool of malware stored on the C&C server providers attackers with multiple options – including data theft or even complete device takeovers.

The Malware Keeps Reinstalling Itself

Xhelper doesn’t work like most other Android malware. Once the trojan gains access to a device via an initial app, Xhelper installs itself as a separate self-standing service. Uninstalling the original app won’t remove Xhelper, and the trojan will continue to live on the device, continuing to show popups and notification spam. Even if users spot Xhelper in the Android OS Apps section, removing it doesn’t work as the trojan reinstalls itself every time. Even after users perform a factory reset of the device.

It’s not clear how Xhelper survives factory resets. In some cases, users report that when they remove Xhelper and disable the «Install apps from unknown sources» option, the setting keeps turning itself back on. The malware keeps reinstalling itself.

Symantec reports that the threat is in constant evolution, with new code updates being shipped out on a regular basis. Symantec has also put out a warning regarding Xhelper’s features, highlighting that Xhelper can download and install other apps – a function that could be used to deployed second-stage malware payloads including ransomware, banking trojans, DDoS bots or password stealers.

In-App Protection: Body Armor for Apps

Promon’s In-App Protection solution acts like body armor for your apps from the inside to ward off and warn about malware attacks. With Promon SHIELD™ user credentials, such as usernames, password, PINs and other inputs are safe. Malware techniques are blocked and cannot spy or fetch user inputs using overlays, keylogging- screenshots or screenreader-techniques.

Back To Top