Kaspersky Lab experts published a report on malware for Android xHelper. Researchers found out how the Trojan managed to gain a reputation for being “undeletable,” and what exactly provides it with such survival.
XHelper was first spotted by information security experts in the spring of 2019, and the first detailed report on the problem appeared in August, when experts Malwarebytes reported that the malware had already infected 35,000 devices.
In the fall of 2019, a new malware review appeared, already published by Symantec experts, who claimed that the number of infected devices had already exceeded 45,000, and on average xHelper infected 131 new victims per day (about 2,400 new victims per month), most of which were found in India, USA and Russia.
The main source of infections are redirects and suspicious sites that redirect users to pages with Android applications. Such sites instruct the user in detail how to download applications not from Google Play, and the code hidden in the applications ultimately leads to the loading of xHelper.
But the most interesting feature of xHelper is that it behaves differently from most Android malvari. The fact is that even resetting the device to the factory settings is not enough to remove xHelper, and the only option available for victims is a complete flashing of the infected device (which is not always possible).
Moreover, in 2019, experts from Malwarebytes and Symantec were still unable to understand how xHelper “survives” after the above actions. There was no Trojan interference in the operation of system applications and services, and Symantec believed that xHelper was unlikely to be preinstalled on devices out of the box, although the malware actually appears more often on devices of specific brands.
Already in February of this year, Malwarebytes analysts suggested that xHelper somehow exploits the process inside the Google Play Store to initiate reinstallation, and the malware survives resetting to factory settings using special directories that it creates on the device and where it hides its APK. The fact is that, unlike applications, directories and files are saved on the device even after resetting to factory settings. And it was assumed that after the reset, the Google Play Store performs some kind of undefined operation, after which xHelper is reinstalled and reappears in the system.
xHelper and the Nesting Doll from Trojans
Now dedicated to xHelper report Kaspersky Lab experts have published. They note that the activity of the malvari is still not declining, and they report good news: experts found out how the xHelper authors provided their offspring with almost unprecedented survival.
Analysts write that the Trojan, as a rule, disguises itself as a popular application for cleaning and accelerating the work of a smartphone, but in reality does not carry any useful functionality: after installation, such a “cleaner” simply disappears, and it can not be found either on the main screen or in the menu programs. You can see it only by looking at the list of installed applications in the system settings.
The xHelper payload is encrypted in the /assets/firehelper.jar file, and since its encryption has not changed from version to version, experts decrypted it without difficulty. The main function of the payload is to send information about the victim’s phone (android_id, manufacturer, model, firmware version and so on) to the address of the attackers: https: //lp.cooktracking (.) Com / v1 / ls / get and downloading the following malicious module – Trojan-Dropper.AndroidOS.Agent.of.
This malware, in turn, decrypts and launches its own payload, using the native library that comes with it – this approach makes it difficult to analyze the module. At this stage, the next dropper is decrypted and launched – Trojan-Dropper.AndroidOS.Helper.b. He, in turn, launches the Trojan-Downloader.AndroidOS.Leech.p malware, which is responsible for further infection of the device.
The basis and only task of Leech.p is to download the HEUR Malvari: Trojan.AndroidOS.Triada.dd (the notorious Triada banker) with a set of exploits for obtaining root rights on the victim’s device.
All malicious files are sequentially stored in the application data folder, to which other programs do not have access. Such a “nesting doll” allows authors to confuse traces and use malicious modules known to security solutions. Malvari can get root-rights mainly on devices running Android versions 6 and 7 of Chinese manufacturers (including ODM). And after obtaining rights xHelper can install malicious files directly into the system partition.
Experts note that the system partition is mounted at system startup in read-only mode. Thanks to root-rights, the trojan remounts it in the recording mode and proceeds to the main actions: it launches a script with the speaking name forever.sh. Famous Triada tricks are used, including remounting the system partition to install its applications on it. In this case, the package com.diag.patches.vm8u is installed, which Kaspersky Lab monitors as Trojan-Dropper.AndroidOS.Tiny.d.
As a result, the / system / bin folder copies several executable files:
- patches_mu8v_oemlogo – Trojan.AndroidOS.Triada.dd;
- debuggerd_hulu – AndroidOS.Triada.dy;
- kcol_ysy – HEUR: Trojan.AndroidOS.Triada.dx;
- /.luser/bkdiag_vm8u_date – HEUR: Trojan.AndroidOS.Agent.rt.
A few more files are copied to the / system / xbin folder:
The call of files from the xbin folder is added to the install-recovery.sh file, which allows Triada to start at system startup. The immutable attribute is set on all files in the target folders, which makes it difficult to remove the malware: the system does not allow the superuser to delete files with this attribute. However, you can deal with this Trojan’s self-defense method: you must remove this attribute with the chattr command before deleting the file.
The question arises: if malware can remount the system partition to a copy to copy itself into it, can the user go the same way and remove the malware? The authors of Triada also asked this question and as a result applied another protective technique – modification of the system library /system/lib/libc.so. This library contains a common code that is used by almost all executable files on the device. Triada replaces the mount function, which is used to mount file systems, with its libc code, and thus prevents the user from mounting the / system partition in write mode.
To top it off, the Trojan downloads and installs several more malicious applications on the device (for example, HEUR: Trojan-Dropper.AndroidOS.Necro.z), and also removes root access control applications such as Superuser.
How to get rid of xHelper?
It follows from the foregoing that simply removing xHelper cannot get rid of all the infection that has settled on the system. The com.diag.patches.vm8u application installed in the system partition will reinstall xHelper and other malware at the first opportunity.
If the device has a custom recovery environment for Android, you can try to get the libc.so file from the original firmware and replace it with an infected one, and then remove all malware from the system partition. However, it will be easier and more reliable to completely reflash the device, as already mentioned at the beginning of this article.
It should be borne in mind that sometimes in the firmware of smartphones attacked by xHelper there is a pre-installed malware that independently downloads and installs applications (including xHelper). Then the flashing will also be useless, and it is worth looking in the direction of alternative firmware for this device.
One way or another, the researchers conclude that using a smartphone infected with xHelper is extremely dangerous. Indeed, on the device, in fact, there is a backdoor with the ability to execute commands on behalf of the superuser. It provides attackers with full access to the data of all applications and can be used by other malware, such as CookieThief.