skip to Main Content

Cybercrime spread Xhelper, a new really persistent Android dropper

Cybercrime Spread Xhelper, A New Really Persistent Android Dropper

Symantec: Cybercrime spread Xhelper, a new really persistent Android dropper app. The malware is able to hide and reinstall itself, downloading other threats and display ads. It already infected 45,000 devices in past 6 months

Xhelper, a persistent Android dropper, infected 45,000 devices in past 6 months. It has been discovered by Symantec cyber security experts. The malicious app hides itself, downloads other threats and displays ads. It is mainly targeting users in India, U.S., and Russia. Furthermore, It is able reinstall itself after users uninstall it and is designed to stay hidden by not appearing on the system’s launcher. The malware does not provide a regular user interface. It’s an application component, meaning it won’t be listed in the device’s application launcher. This makes it easier for it to perform its malicious activities undercover. Moreover, Xhelper can’t be launched manually. This, since there is no app icon visible on the launcher. Instead, the malicious app is launched by external events, such as when the compromised device is connected to or disconnected from a power supply, the device is rebooted, or an app is installed-uninstalled.

The cyber security experts: The pool of malware stored on the Xhelper C&C server is vast and varied in functionality, giving the attacker multiple options, including data theft or complete takeover of the device

Xhelper, according to the cyber security experts, once launched it will register itself as a foreground service. This lowering chances of being killed when memory is low. For persistence, the malware restarts its service if it is stopped. Once it gains a foothold on the victim’s device, it begins executing its core functionality by decrypting to memory the payload embedded in its package. This connects to the attacker’s C&C server and waits for commands. To prevent this communication from being intercepted, SSL certificate pinning is used for all communication between the victim’s device and the server. Upon successful connection, additional payloads such as droppers, clickers, and rootkits, may be downloaded to the compromised device. The pool of malware stored on the C&C server is vast and varied in functionality, giving the attacker multiple options, including data theft or complete takeover of the device.

Back To Top