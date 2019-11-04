Infosecurity Group Websites

Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more
Latest
News

Android Dropper App Infects 45K Devices

A malicious Android app that displays advertisements and facilitates the download of additional malicious apps has infected over 45,000 devices in six months. 

Researchers at Symantec observed a surge in detections of the Xhelper app, which has mainly been targeting users in the US, India, and Russia. 

This annoying app, which bombards infected devices with pop-up advertisements, is tricky to find because it has been designed to not appear on the system's launcher.

In addition to playing an irritating game of hide and seek, Xhelper has proved to be more tenacious than a 5-year-old in a candy store by repeatedly reinstalling itself on devices from which it's been removed and even on devices that have been restored to their factory settings.

Researchers wrote: "We have seen many users posting about Xhelper on online forums, complaining about random pop-up advertisements and how the malware keeps showing up even after they have manually uninstalled it."

With no app icon visible on the launcher, Xhelper can’t be launched manually. Instead, the malicious app gets its green lights from external events, leaping into action when a compromised device is rebooted, an app is added or removed from the device, or the device is connected or disconnected from a power supply. 

The launched malware has cunningly been designed to register itself on the device as a foreground service, lowering its risk of being quashed when the device's memory is low. 

"For persistence, the malware restarts its service if it is stopped; a common tactic used by mobile malware," wrote researchers.

Once Xhelper has settled into the device's lounge and popped its feet up on the coffee table, it begins decrypting to memory the malicious payload embedded in its package. The payload then connects to the threat actor's command and control (C&C) server and waits for commands.

"Upon successful connection to the C&C server, additional payloads such as droppers, clickers, and rootkits, may be downloaded to the compromised device. We believe the pool of malware stored on the C&C server to be vast and varied in functionality, giving the attacker multiple options, including data theft or even complete takeover of the device," wrote researchers. 

Symantec first spotted Xhelper back in March 2019 when it was visiting advertisement pages for monetization purposes. Since then, the malicious app's code has become more sophisticated, and researchers "strongly believe that the malware’s source code is still a work in progress."

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Nikkei Hit in $29m BEC Scam

2
News

AWS Left Reeling After Eight-Hour DDoS

3
News

Proofpoint to Boost DLP Suite with ObserveIT Acquisition

4
News

#ISC2Congress: Cybersecurity Recruitment Is in a Dangerous Crisis

5
News

#ISC2Congress: The Truth Behind the Lack of Women in Cybersecurity

6
News

Global Registrar Web.com Suffers Major Breach

1
News

Pentagon Publishes Guide to Ethical Wartime Use of AI

2
News

Midwest to Get First Cyber Battalion

3
News

Android Dropper App Infects 45K Devices

4
News

Proofpoint to Boost DLP Suite with ObserveIT Acquisition

5
News

US: Licenses to Sell to Huawei Coming Soon

6
News

Nikkei Hit in $29m BEC Scam

1
Webinar

Fact & Fiction in Advanced Threat Detection

2
Webinar

Zero Trust in Practice: Why Identity Drives Next-Gen Access

3
Webinar

Identifying and Defending Against Advanced and Automated Attacks

4
Webinar

Mobile Access: Best Practices for a Modern Security Approach

5
Webinar

The Insider's Motive: Defending Against the 7 Most Common Insider Threats

6
Webinar

Authentication Standards in 2019: Why Passwords Remain Problematic, and Future Solutions

1
Interview

Interview: Rajan Kapoor, Director of Security, Dropbox

2
Next-Gen

Assessing the Cost Structure of GDPR Compliance Strategies

3
Opinion

Curbing Insider Insecurity

4
News

US Government Agencies Outline Security Strategy for 2020 Election

5
Next-Gen

Registration for CyberCenturion VI Open For Another Week

6
News

Action Fraud Snafu Leaves 9000 Cases Quarantined