Android malware Xhelper makes the case for Google Play yet again

By JC Torres/Oct. 30, 2019 7:38 pm EST

It's no longer really surprising to hear about yet another malware on the rise on the Android platform. Sometimes, their threat can be genuinely frightening, especially when they manage to get past Google's automated security checks. The Xhelper malware being reported is, fortunately a bit different in that, this time, infected apps are being traced to unofficial sources outside Google Play Store. Unfortunately, the evolution of the malware over the past months may prove it to be just as dangerous and damaging if left unchecked.

Famed cyber security company Symantec first learned about the malware dubbed as Xhelper back in March this year. Back then, it proved to be almost too simple to mind, though its advertisement gimmick was already worrying even back then. Now the malware has evolved considerably, using even more sophisticated strategies and there are hints that it isn't done growing yet.

Xhelper has the standard malware traits in that it doesn't itself contain the actual payload. It does contain encrypted functions to communicate with a remote C&C server, a new feature that the earlier version of Xhelper didn't have. It then uses, ironically, an SSL feature to mask to mask its communication with the remote server and the download of the actual payload that can range from clickers to rootkits.

What makes this malware particularly worrying is its persistence and its methods to evade detection. It's not a regular app that can be easily noticed by the user, is launched by listening for certain events, and runs in the foreground to prevent being killed by the memory manager. Most importantly, Xhelper is not only able to survive between reboots but even after factory resets.

Symantec says that Xhelper's creators seem to be targeting specific Android phone brands in India, Russia, and even the US. Of the 45,000 infections it was able to identify, none seem to be traced back to Google Play Store versions of infected apps. It hints that the malware may not be advanced enough to evade Google's security measures but it could also be just a matter of time.