Malwarebytes researchers have faced a new type of Android malware. Cleaned several times, it was reinstalled every hour. To end the infernal loop, they had to push their manipulations beyond the complete reset of the smartphone.
It is so tough that even a full reset of the smartphone did not get through. The xHelper Trojan for Android smartphones has resurfaced at the start of 2020, in a version that is almost impossible to clean. It had already claimed many victims in the summer of 2019, allowing criminals to deploy other malware.
But this improved version has given a hard time to the Malwarebytes team, led by Nathan Collier. The analyst even claims that the operating mode of the malware marks a " new era »Malware on smartphones.
A virus that is constantly reinstalling
Malwarebytes researchers were warned in January 2020 by a user. Connoisseur, she had identified that her phone was infected with xHelper. After using the brand's anti-malware, she successfully removed two versions of xHelper, as well as a Trojan horse. Only xHelper returned barely an hour after being deleted. So the research team had to take a closer look.
Before contacting the service, the user had tried everything, to reset her smartphone. Concretely, this maneuver resets all the parameters of the device to zero, as on leaving the factory: no more applications, photos, contacts or history. In short: no trace of its use, apart from a few files in the lower software layers.
Failed: this manipulation did not solve the problem, and xHelper continued to reinstall. Faced with a puzzle, the Malwarebytes team first dismissed the trail of malware that would have the rights to administer the device. If that had been the case, it would normally have prevented uninstalling apps infected with xHelper. After cleaning up browser history and caches, the experts also scanned the possibility of a threat related to web browsing.
Malware preinstalled on the smartphone? Still missed
They had one track left, that of malware preinstalled on the device. It seemed all the more credible that the smartphone came from a "lesser-known" manufacturer, according to the Malwarebytes team. This is just a polite way of talking about one of those brands unknown to the general public, whose security guarantees are more than questionable.
The researchers guided the user through a debug procedure, which required connection to the PC. In detail, they used a method to make the preinstalled system applications useless (such as that of settings), even if they technically remained on the device. The experts deactivated one by one each application that seemed suspicious to them. Except that even after disabling the system update app, xHelper kept coming back soon.
The culprit was hiding behind Google Play
By dint of cleaning and deactivating, the options are reduced: since we were out of ideas, we deactivated Google Play (the application store linked to Android, note) Nathan Collier concedes. Surprise: the reinfections stop. However, none of the malicious applications detected were downloaded from this application. However, they designated it as the source.
The researchers are taken aback: Google Play itself would be infected? A few analyzes later, the track is abandoned. Well almost: something in Google Play triggers reinfection, or at least uses the app as a cover.
The problem is not entirely resolved
By digging into the phone files for the name linked to xHelper programs "com.mufc", they manage to find a folder, linked to an APK. Behind this acronym, the name of the archive that contains everything necessary for an Android application. Except that in this case, the APK was used to deploy a Trojan horse, which itself deployed the new version of xHelper. By cleaning up this APK, the Malware Bytes team solved the problem.
If researchers have struggled so hard to find it, it's because the name of this Trojan horse is nowhere to be found on the device. Experts speculate that it installs, deploys malware, and then uninstalls in seconds to go under detection systems. Then the loop starts again, a priori infinitely. Researchers believe that something is triggering the Trojan horse cycle from Google Play. What? The question remains pending.