A Persistent Trojan Downloader for Android OS

This blog is by Knogin blog. Reposted with permission.A new security threat has emerged, this time for Android OS, making mobile security researchers scratch their heads for the past few months, the malware is called xHelper.The malware has already infected more than 45,000 Android devices in just the last six months and is continuing to spread by infecting at least 2,400 devices on an average.A manual uninstall will not solve an issue as the app will 'reappear' by itself just a few moments after uninstalling it.Typically, mobile trojan droppers contain one or more malicious APK within the original app that is intended to be installed onto the mobile device. The most common location these additional APKs are stored is within the Assets Directory (only can be seen conducting a reverse engineer of the app). However, xHelper is not typical; it is not using an APK file stored in the Assets Directory. 

TTPs

It mimics to be a legitimate app in the Google Play Store. Once you download the app you wanted, the app is installed, and so the malware, xHelper, doesn't provide a regular app user interface. Instead, it gets installed as an application component that doesn't show up on the device's apps menu in an attempt to remain hidden from the users. It can be spotted in Settings -> Apps -> All apps.To launch itself, xHelper relies on some external actions caused by users, like connecting or disconnecting the infected device from a power supply, rebooting a device, or installing or uninstalling an app.Once xHelper gains grip on the victim's smartphone, it begins executing its core malicious functionality by decrypting to memory the malicious payload embedded in its package.The malicious payload connects to the attacker's Command and Control server and waits for commands. To prevent this communication from being intercepted easily, an SSL certificate is used for all communication between the victim's device and the C&C server.Upon successful connection to the C&C server, additional payloads can be downloaded into the infected Android device, such as droppers, clickers, and rootkits. Also, since the adversary will have control of the device, it is now giving the attacker multiple options, including data theft or even complete appropriation of the device. 

Conclusions

Antivirus apps listed in Google Play seem that they do not recognize the xHelper app as a security threat or malware.A manual uninstall will not solve an issue as the app will 'reappear' by itself just a few moments after uninstalling it. It is giving a hard time to the researchers since they did not find the exact source from where the malicious app packed with the xHelper malware comes in the first place. They did suspect that a malicious system app pre-installed on Android devices from certain brands actually could be the one which is downloading the malware.Google Play team is working hard to try to remove or ban all these apps that serve as a malware dropper. However, more new apps can be uploaded to the Play Store without too much control from Google.Giving a glance at what you intend to download can give you an idea of whether the app could be a potential malicious one. It is as easy as going to ‘ADDITIONAL INFORMATION' within the app in the Play Store, in there you can see the number of installs, the version, the last update, and the information about the developer and publisher. You can spot that a random email associated may be a flag to avoid downloading the app. 

Advice

Since the source of the malware is still unclear, Android users are recommended to take simple but effective precautions such as:

• Keep your devices and apps up-to-date
• Avoid download apps from not very reliable sources
• Always pay close attention to the permissions requested by apps
• Frequently back up your data
• Avoid installing apps from unknown sources and disable this option in the security settings if enabled.

TTPs: Tactics, techniques and procedures