It is not unusual for Android smartphone users to be the target of malware, which is hardly surprising given that there are more than 2.5 billion active Android devices out there. Cybercriminals will always follow the money, and more users mean more opportunity to infect.
I recently wrote about the Joker malware for example, and that wasn’t funny in any sense of the word. However, an even more seriously worrying bit of Android malware has been confirmed by security researchers from Symantec: it’s all but impossible to remove. With 45,000 Android devices already infected, a total that increases every day, the unremovable malware can even “survive” a factory reset.
What is this unremovable Android malware?
According to Symantec security researchers, the Xhelper Android Trojan is not only stealthy but also prolific. A Symantec report stated that the security company has “observed a surge in detections,” of the malware that can both hide from users and download additional malicious apps. The most concerning aspect of Xhelper, though, is that it is persistent. How persistent you may be wondering? “It is able reinstall itself after users uninstall it,” the researchers said, adding that the malware keeps reappearing even after users have manually uninstalled it. What’s more, according to the research report, even a full factory reset cannot stop Xhelper from reappearing.
What does the Xhelper Android malware do?
Xhelper itself is hidden from the Android device launcher as it is an application component, so making it easier to go undetected. It is launched by external events, including connecting the device to a power supply and installing an app.
“Once launched, the malware will register itself as a foreground service,” the researcher said, “lowering its chances of being killed when memory is low.” Indeed, it would appear that it also restarts the service automatically should it be stopped, to add to the persistent nature of the beast.
The malicious payload that Xhelper unleashes will connect to a command and control server to wait for further orders. This communication is also hidden from the user and their security software by using SSL certificate pinning to prevent interception. Those “further orders” include serving up additional payloads such as malware droppers and rootkits to enable complete takeover of the infected device.
How can Xhelper survive a factory reset?
The biggest puzzle from the security perspective, at least as far as I am concerned, is how any malware can survive a factory reset. After all, unless it was part of the smartphone firmware, a factory reset would vape it into oblivion.
The Symantec report appears to remove this possibility as it stated: “We believe it to be unlikely that Xhelper comes preinstalled on devices given that these apps don’t have any indication of being system apps.” The most likely explanation given in the report is that another separate app is persistently downloading the malware.
I asked the researchers directly about all of this, and May Ying Tee, a software engineer at Symantec, and one of the report authors, told me that “the malware does not technically survive the factory reset.” Instead, Ying Tee says, “we believe it may have been deleted, and later reinstalled by another malware, hence giving the perception of surviving the factory reset.”
How can you prevent your Android device from being infected?
As John Opdenakker, an ethical hacker, says, “it’s bad security practices that put the user straight back into trouble again.” If they are reinstalling the same apps as before the factory reset, including those from sources other than the official Google Play Store, then I suspect he is right.
“This highlights the risk of installing apps outside of official app stores,” says application security specialist Sean Wright, “my recommendation is to only install apps via the official app stores unless you know for certain the validity of the app in question.”
Paul Bischoff, a privacy advocate at Comparitech.com, agrees. “Unless you absolutely trust the developer,” he said, “Android users should stick with apps on the Play Store, which have been vetted by Google.” Of course, bad apps do get into the Play Store as well, but it does lower the odds of you installing such a malicious application.
For now, that’s the best advice you are going to get. The Symantec researchers believe that the malware code is still a work in progress and there are more tricks under the sleeve yet to be shown.