There has been a surge in activity surrounding the Xhelper Android ad dropper, with more than 45,000 devices being infected since the malware made its first appearance six months ago.
In the past month an average of 131 devices were infected each day, with about 2,400 devices persistently infected throughout the month. The malware mostly hits users in India, the U.S. and Russia.
Xhelper, first recognized by Malwarebytes, has lately attracted Symantec’s attention when it began to change from a simple malicious app that visited advertisements for monetization purposes to a more sophisticated one with the ability to connect to a C2 server and the ability to evade signature detection. Additionally, more people were found complaining about Xhelper on various forums complaining about the pop-up ads it generates.
Xhelper is persistent: It is able reinstall itself after users uninstall it and is designed to stay hidden by not appearing on the system’s launcher, said Symantec software engineers May Ying Tee and Tommy Dong.
One of Xhelper’s differentiators is that it is an application component, so it is not listed in the device’s application manager, which helps keep it hidden and means it cannot be launched manually by the target. Instead an external event is required to trigger Xhelper’s operation. This ranges from being connected or disconnected from a power supply, a device reboot or the installation of an app.
“Once launched, the malware will register itself as a foreground service, lowering its chances of being killed when memory is low. For persistence, the malware restarts its service if it is stopped; a common tactic used by mobile malware,” the Symantec team wrote.
Once on board, it decrypts its payload, connects to the C2 server using SSL certificate pinning, and awaits a command. The server then sends along droppers, clickers, rootkits and potentially much more.