xHelper is the invisible malware that has already affected 45 thousand Android devices
Already in circulation for a few months and identified in May by MalwareBytes, it is further analyzed by Symantec: for now, it behaves as adware, but its characteristics make it very dangerous.
Cybersecurity company Symantec has released details about a new threat to Android devices in recent days: a malware called xHelper that has infected over 45,000 devices in the past six months. It is a malware that the security company MalwareBytes already identified for the first-time last May.
The affected users are mainly located in India, the United States and Russia, and in this period xHelper has progressively climbed, the list of the top 10 most detected mobile malware and Symantec itself underlines a surge in detections in the latter period.
” Just in the past month, there has been an average of 131 devices infected every day, and an average of 2400 devices persistently infected over the month, ” says the security company. MalwareBytes indicated 33,000 infected devices in the latest report, and current Symantec numbers testify to very rapid growth in just two months.
The precise origin of the malware is an aspect that investigations are still focusing on. As Symantec noted, none of the analyzed examples were available on the Google Play Store, which suggests that the malware may have been downloaded from unknown sources.
The features that make xHelper particularly insidious are two: the possibility of operating in a completely invisible way (we will see how little further) and the ability to continue reinstalling on the device even after manual removal and even after a recall of the factory settings, which suggests there is another app marked as ” system ” that takes care of continuing to download malware.
xHelper, the malware that hides
So let’s see the ” stealth ” abilities of this malware: xHelper is formally an application component, and for this reason, it is not listed in the application launcher of the device and does not even have an icon.
This makes its manual execution impossible, but on the other, it allows xHelper to carry out its activities wrapped in a shadow. So how can it be launched without an icon? The authors of the malware have inserted a series of ” triggers ” that allow xHelper to start in correspondence with external events at high frequency: connecting to a power source, restarting the device, installing or removing another app.
When the malware is started, it registers itself as a foreground service in Android so as to reduce the chances of an automatic closure by the operating system when, for example, there are particular situations (congested memory or low battery) . In any case, the malware restarts if it is closed.
The good news, so to speak, is that xHelper is not characterized by particularly sophisticated operations: for now, it only bombards the user with intrusive pop-ups and spam notifications.
Its particular characteristics make it a particularly effective vector for the execution of more complex malware packages, thus leaving open the possibility that it can be transformed from a simple adware to a much more serious security threat, capable perhaps of installing other malicious apps or to allow you to take full control of the device remotely.
Symantec notes that xHelper’s features have been significantly expanded in recent times, and that the perpetrators are still constantly evolving malware to target new victims.
The code seems to be still in the making, and many variables labeled ” Jio ” lead to believe that attackers are planning more substantial action towards Jio users, the second largest cellular network operator in India that has over 300 million subscribers.
- Multi device support: Now protects both Android and iOS smartphones and tablets
- Web based management: Lets you easily control the security for your devices in 1...
- Remote locate: Pinpoints your lost or stolen phone or tablet on a map to help you...
Product prices and availability are subject to change. Any price and availablility information displayed on Amazon at the time of purchase will apply to the purchase of any products.