In February, a researcher explained the background of a widespread Android enterprise that is destructive that survives factory resets, a behavior that makes malware impossible to remove without taking unusual measures.
The analysis found that the unusual persistence was the result of rogue folders containing the trojan installer, neither of which was removed by resetting. Trojan dropper will reinstall the backend in the event of a reset. Despite those insights, researchers still don’t know exactly how that happened. Now, a different researcher has filled in the missing pieces. More about that later. First, a brief overview of xHelper.
A backdoor with superuser rights
The malicious Android app stands as a performance enhancer that removes old and useless files. Antivirus provider Malwarebytes was detected on 33,000 devices, located mainly in the United States, while AV from Russia-based Kaspersky Lab was detected on 50,000 devices. No guarantee xHelper is distributed through Google Play.
Once installed, xHelper installs a backdoor that installs applications remotely from the affected control server. It also runs commands as a user, a powerful privileged system that gives the malware unrestricted system rights. Apart from that, the backdoor has access to sensitive data, including browser cookies used to automatically access sites. Once the backdoor is installed, the anti-aliasing tool disappears from the main screen and the system menu and can only be viewed by checking the list of installed applications in the system settings.
The February post was written by Malwarebytes researcher Nathan Collier. He reported the trouble one user had in ridding his phone of the malware. Although AV removes the two xHelper variants and the related trojan from your machine, xHelper will rebuild the machine within an hour. xHelper returns even after a factory reset.
Collier determined that the fixes were the result of an unseen file located in a hidden folder. The bag cannot be removed by normal means. It is unclear exactly how the folder is located on infected phones. Collier rules out the possibility that the folder and file are already installed on the device. It is also unclear why the file was not detected by AV and exactly how the malicious file was activated after AV or a reboot removed the infection.
Last week, Kaspersky Lab researcher Igor Golovin published a post that fills in some gaps. The fixes, he said, were the result of files downloaded and installed by him The famous Trojan known as the Triad, which works once the xHelper application is installed. Triada roots devices and then uses powerful system privileges to install a series of malicious files directly into the system partition. You do this by restoring system partitions in write mode. To make files even more persistent, Triada gives them a voice characteristic immutability, which prevents deletion, even by superusers. (Interestingly, the attribute can be deleted using the
A file named install-recovery.sh makes calls to the files added to the /system/xbin folder. That allows the malware to run every time the device is restarted. The result is what Golovin describes as a “reckless” infection that has incredible control over a machine.
“It’s very easy to get infected by xHelper,” Golovin told me. “Devices attacked by this malware may lack OS security patches and remain vulnerable to rooting and installing such malware. Also, it is very difficult for users to remove this malware once it is installed. This means that xHelper’s user base can grow quickly and xHelper can stay active on attacking machines for a long time. “
Poisoning of the well
The researcher initially thought that it might be possible to remove xHelper by restoring system partitions in write mode to delete malicious files stored there. Later, he dropped that lesson.
“The developers of Triada reconsidered this question, and used another security strategy that involved changing the system library /system/lib/libc.so,” explained Golovin. “This library contains common code that is used by all files that can run on the machine. Triada replaces its own code for the top function (used to load filesystems) in libc, thus preventing the user from loading the partition/system in write mode. “
Fortunately, the reinfection method divined in last week’s report works only on devices running older Android versions with known rooting vulnerabilities. Golovin, however, makes it possible that, in some cases, xHelper can maintain persistence through malicious files that have already been installed on phones or tablets.
People can wipe devices using their recovery mode, when available, to replace the infected libc.so file with a correct one with the original firmware. Users can then remove all malware from the system partition or, easier still, reboot the device.
Golovin’s analysis provides a valuable case study of a clever technique that can be used again, should we find new rooting vulnerabilities in current Android versions. The insights can prove helpful both to end users who are comfortable using the more advanced features of their phones, and security professionals who work with securing Android devices.
It’s “very good writing, and (I’m) glad that someone was able to reproduce it better than I could,” Collier said. “It all seems possible.”