It was the middle of last year that we detected the start of mass attacks by the xHelper Trojan on Android smartphones, but even now the malware remains as active as ever. The main feature of xHelper is entrenchment — once it gets into the phone, it somehow remains there even after the user deletes it and restores the factory settings. We conducted a thorough study to determine how xHelper’s creators furnished it with such survivability.
!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");
Share of Kaspersky users attacked by the xHelper Trojan in the total number of attacks, 2019-2020
How does xHelper work?
Let’s analyze the family’s logic based on the currently active sample Trojan-Dropper.AndroidOS.Helper.h. The malware disguises itself as a popular cleaner and speed-up app for smartphones, but in reality there is nothing useful about it: after installation, the “cleaner” simply disappears and is nowhere to be seen either on the main screen or in the program menu. You can see it only by inspecting the list of installed apps in the system settings.
The Trojan’s payload is encrypted in the file /assets/firehelper.jar (since its encryption is practically unchanged from earlier versions, it was not difficult to decrypt). Its main task is to send information about the victim’s phone (android_id, manufacturer, model, firmware version, etc.) to https://lp.cooktracking[.]com/v1/ls/get…
