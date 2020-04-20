It’s been a while since we talked about xHelper, a famous malware discovered on Android whose main peculiarity is that it was basically impossible to remove. For some unknown reason, malicious software was able to survive installed on the phone even if it was formatted and all your data was deleted.

After several months of work, Kaspersky researchers have finally discovered how this dangerous malware works, and how it is able to survive hidden in the phones being able to “reinstall itself” automatically after having deleted all the data stored in the device.

This is how xHelper works, the “impossible to eliminate” malware

As researchers have discovered, the malware in question had an even more sophisticated system than originally thought. When installing the malicious app –which was offered as an “optimization” tool aimed at removing unnecessary or old files from the internal memory of the mobile–, the malicious code was executed by downloading a “rootkit” that mainly affected the versions Android devices between 6.0 Marhsmallow and 7.0 Nougat —which are still used by a good number of Android device users even today.

Once advanced privileges have been obtained in the system, the installation of the malware itself. The main peculiarity of this malware is that it would be installed on the system partition, so that the user was unable to easily remove it.

To perform the installation of the malicious software on this partition, once advanced permissions had been obtained, the malware was capable of mount partition in write mode –By default it is in read-only mode, precisely to avoid security problems like this, among other things. Subsequently, the files related to malicious software were granted with a immutable attribute that would prevent its removal even to those users with root permissions.

Luckily it is possible to remove xHelper

Despite the sophisticated technique used by xHelper to install and persist on the system, researchers have found a relatively easy way to remove malware of the devices.

According to the report published by Kaspersky, removing xHelper does not mean completely disinfecting the system, since the program installed on the system partition is capable of reinstalling malicious software after formatting the user data partition.

To proceed with its total elimination, it will be necessary resort to recovery mode of the device, and through it extract libc.so file from original device firmware to replace it with the infected file, currently located on the phone’s system partition.

However, this solution would not work in those where the original software was found to already include such malware –Mostly from manufacturers of Chinese origin– since the original file would be infected with the malicious code. In that case, the researchers recommend resort to a firmware other than the original, such as a third-party ROM compatible with the device.

Follow Andro4all

About Christian Collado

Growth Editor at Andro4all, specialized in SEO. I study software development and write about technology, especially about the Android world and everything related to Google since 2016. You can follow me on Twitter, send me an email if you have something to tell me, or connect with me through my LinkedIn profile.

My work team: