Published in News

Android catches herpes

by on14 February 2020
Android catches herpes


Once infected it does not go away

A widely circulating piece of Android malware which uses a clever trick to reinfect its targets in a feat that stumped researchers as to precisely how it was pulled off.

According to Ars Technica xHelper came to light last May when a researcher from security firm Malwarebytes published this brief profile. Three months later, Malwarebytes provided a deeper analysis after the company’s Android antivirus app detected xHelper on 33,000 devices mostly located in the US, making the malware one of the top Android threats. The encryption and heavy obfuscation made analysis hard, but Malwarebytes researchers ultimately concluded that the main purpose of the malware was to act as a backdoor that could remotely receive commands and install other apps.

Malwarebytes published a new post that recounted the lengths one Android user took to rid her device of the malicious app. In short, every time she removed two xHelper variants from the device, the malware would reappear on her device within the hour. She reported that even performing a factory reset wasn't enough to make the malware go away.

Company researchers found several folders on the phone that contained files that, when executed, installed xHelper. All of the folders began with the string com.mufc. To the researchers’ surprise, these folders weren’t removed even though the user performed a factory reset on the device.

Malwarebytes’ Nathan Collier wrote in Wednesday’s post: “Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware.”

The user finally rid her device of the malware after using an Android file manager to delete the mufc folders and all their contents. Because the malware was somehow identifying Google Play as the source of the reinfection, Collier recommends people in a similar position to disable the Google Play Store app before removing the folders.

Collier still isn’t sure how the mufc folders came to reside on the phone in the first place or why they weren’t deleted during factory reset. In October, security firm Symantec also reported that users were complaining that factory resets didn’t kill xHelper, but company researchers were also unable to explain why. One theory, Collier said, is that an xHelper variant installed the folders and made them appear as an SD card that wasn’t affected by the factory reset - the user reported that her device didn’t have an SD card.

Fortunately, at the moment, only Americans are being infected.

 

Last modified on 14 February 2020
Rate this item
(0 votes)
Tagged under
More in this category: « Samsung Galaxy S outperforms Apple's Air Windows 12 Lite ships as Linux in drag »
back to top

Most popular

Latest comments

Read more about: