The secret behind “unkillable” Android backdoor called xHelper has been revealed

by
Dan Goodin
from Ars Technica - All content on (#527N0)
android-malware.jpg

Enlarge (credit: portal gda / flickr)

In February, a researcher detailed a widely circulating Android backdoor that's so pernicious that it survives factory resets, a trait that makes the malware impossible to remove without taking unusual measures.

The analysis found that the unusual persistence was the result of rogue folders containing a trojan installer, neither of which was removed by a reset. The trojan dropper would then reinstall the backdoor in the event of a reset. Despite those insights, the researcher still didn't know precisely how that happened. Now, a different researcher has filled in the missing pieces. More about that later. First, a brief summary of xHelper.

A backdoor with superuser rights

The malicious Android app poses as a performance enhancer that removes old and unneeded files. Antivirus provider Malwarebytes has detected it on 33,000 devices, mainly located in the United States, while AV from Russia-based Kaspersky Lab found it on 50,000 devices. There's no evidence xHelper has ever been distributed through Google Play.

Read 12 remaining paragraphs | Comments

index?i=PST8oHXOevs:eCwRIdicK5k:V_sGLiPB index?i=PST8oHXOevs:eCwRIdicK5k:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments