Android allows users to install apps that aren’t from the Google Play Store. Most users don’t know or care but there are plenty that do. There are so many who regularly download APK files from shady third-party websites. Many of these websites provide cracked APKs for paid apps. Turns out, if you download apps from such shady websites, you might actually have something to worry about. It’s a new malware called xHelper and it is not as helpful as it sounds.
We’ve all read the warnings somewhere how installing apps from third-parties can be a potential risk. In this case, it really is. xHelper is a scary bit of malware floating around, and it has been discovered just in time for Halloween. The malware itself does not do something scary, actually, but it has potential. What makes it worse is how it keeps itself installed on your device. Don’t forget to check out our detailed discussion of malware on Android.
xHelper Android malware
The malware is targetting users in the U.S., Russia, and India. Jio users in India are specifically more at risk. Surprisingly, researchers have spotted several instances in the app’s code that directly implicates the mobile service provider.
According to security researchers at Symantec, the malware has infected around 45000 infected Android devices. Other firms like Norton also agree that the number is below 75000. When you consider the potential 2 billion+ targets, 75,000 is not huge. It’s a very small percentage. xHelper is also not an android malware that harvests your data. All it does is send you annoying notifications and change your browser’s homepage which is equally annoying. It can potentially download other malware apps as well.
The xHelper malware works by unpacking a malicious payload to memory. This then connects the app to servers and communication takes place via SSL certificate pinning. This prevents malware from being detected or intercepted. The malware is not limited to ads though. Researchers believe the app servers can provide it with droppers, clickers, and rootkits. This will enable it to do everything a traditional malware can do, including data harvesting.
Must Read: What Is Google Play Protect & How Does It Keep Android Secure?
The malware does not come from any apps on the Play Store. According to Malwarebytes, “The source of these infections is “web redirects” that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.”
How to get rid of xHelper?
Getting rid of it is where it creates even more problems. Unlike other malware, you just can’t get rid of it. This Android malware places itself as a foreground process which means memory cleaner won’t kill it. It does not appear in recent apps, the app drawer, etc. Uninstalling it does not help either if you can find it. The app reappears on its own by circumventing the uninstallation process.
Not even a factory reset will help you here. It persists through even that. There is no clear line of thought yet on how the malware does this. Some suggest the vendor code may be infected, such as those from Chinese OEMs that don’t have a big international presence. Another idea is that Chrome might get infected, which explains how some users could seemingly get rid of it by uninstalling Chrome.
Some researchers also think that the malware somehow finds its way into your Google backups, and restores itself along with other apps. It is plausible too, considering that the malware can bypass security apps such as Google Play protect. Symantec says the malware might be able to attach itself to a system-level app, and thus re-installs itself.
You may want to stop installing APKs from shady websites
As of right now, there’s no cure once your device is infected. Perhaps, factory resetting your device and then not restoring your data might help. In medical science, they say prevention is better than cure. That seems to be very true in this case, except that there doesn’t seem to be a cure. Of course, Symantec says that their own Symantec Endpoint Protection Mobile can mitigate xHelper malware.
Read Next: Android vs iOS Users: Who are More Loyal?
Join The Discussion: