May Ying TeeSoftware Engineer
Tommy DongSr Princ Software Engineer
Symantec has observed a surge in detections for a malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements. The app, called Xhelper, is persistent. It is able reinstall itself after users uninstall it and is designed to stay hidden by not appearing on the system’s launcher. The app has infected over 45,000 devices in the past six months.
We have seen many users posting about Xhelper on online forums, complaining about random pop-up advertisements and how the malware keeps showing up even after they have manually uninstalled it.
Figure 1. Users complain on forums about Xhelper (Top: Google, Bottom: Reddit)
Xhelper in action
Xhelper does not provide a regular user interface. The malware is an application component, meaning it won’t be listed in the device’s application launcher (see Figure 2). This makes it easier for the malware to perform its malicious activities undercover.
Figure 2. Code used to remove app from application launcher (top) and list app in launcher (bottom)
Xhelper can’t be launched manually since there is no app icon visible on the launcher. Instead, the malicious app is launched by external events, such as when the compromised device is connected to or disconnected from a power supply, the device is rebooted, or an app is installed or uninstalled.
Figure 3. Xhelper’s manifest code showing the events that will trigger the malware
Once launched, the malware will register itself as a foreground service, lowering its chances of being killed when memory is low. For persistence, the malware restarts its service if it is stopped; a common tactic used by mobile malware.
Figure 4. Xhelper registers itself as a foreground service an ..
Support the originator by clicking the read the rest link below.
