Xhelper Malware Is Anything But Helpful, Infects Over 45K Devices


Security researchers at Symantec have reported that more than 45,000 Android devices are infected with an unremovable malware identified as Xhelper. The malware is targetting users in the U.S., Russia, and India. Jio users in the latter region appear to be at a heightened risk. The researchers have spotted several instances in the app's code that directly implicates that mobile service provider.

Regarding what Xhelper does, it typically shows random advertisements but it also can download other malicious apps. It works by first installing and unpacking a malicious payload to memory. That connects the app to servers, with communications taking place via SSL certificate pinning to prevent detection and interception.

The Xhelper malware isn't limited to ads and downloads, though. The researchers have reason to believe that a full suite of tools is provided at the app's server, including droppers, clickers, and rootkits. That would mean it can effectively do anything more traditional malware are capable of, in addition to using unwanted ads as a source of income. That includes the gamut from stealing private data to completely taking control of an infected device.


The real problem with Xhelper is in the details

The 45,000 devices impacted here seems like a drop in the ocean compared to the millions of devices affected by various malware in the past. Xhelper differs from those dramatically. Not only does this particular malware seem to do it all. It's also notoriously difficult to remove.

Memory cleaning applications aren't effective either since Xhelper places itself as a foreground process. That means the process will often keep running. It also isn't among the first apps killed automatically when memory starts to get low.

Xhelper won't appear in the recent apps or in the app drawer either and doesn't always appear in the running apps list. It only starts up under certain circumstances. Symantec indicates that's usually when connecting or disconnecting from a power supply, rebooting, or installing and uninstalling apps.


The biggest issue is that uninstalling the app doesn't seem to work. The app circumvents the process and appears again later just as it does when the processes associated with it are stopped.

In fact, users report that even a full factory reset won't always eliminate the threat. Summarily, Xhelper persists through the usual means to get rid of a given malware. The root cause of that, Symantec says, seems to be the app latching itself to a valid system-level app that's reinstalling the app when it's removed. But the company is still investigating the source of the problem.

Prevention is the only mitigation for now

As of this writing, there don't appear to be any effective methods for removing Xhelper once it's in place on a device. That means that preventative measures are going to be the only option.


Although users do report that not every antivirus app for Android will stop it from being installed, Symantec does say its own software works. Specifically, the security researchers indicate that Symantec Endpoint Protection Mobile can mitigate Xhelper. Secondary to that, the researchers indicate that Norton also seems to be effective. Targets on the Jio network in India can install JioSecurity via the MyJio app for protection. That app is powered by Norton.

Beyond those methods, Symantec is reminding Android users that installing apps from "unknown sources" is not a safe practice. Xhelper doesn't appear to have made its way onto the Google Play Store or similar official app markets. Additionally, paying close attention to permissions requested by an app is helpful in spotting apps that are going beyond their described scope.

Keeping security software as up-to-date as possible will help mitigate other threats. Moreover, making frequent backups can also be useful since security isn't perfect under almost any circumstances.