Just in case you don’t have enough to worry about, the security company Symantec has just issued a warning for Android users everywhere about a new piece of malware named xHelper. The decided unhelpful app has installed itself onto 45,000 Android devices in the last six month, Symantec reports, and the company says it’s seen a “surge in detections” of late.
What will xHelper do if your device is infected with it? Possibly nothing, at least for now. Possibly, it will pepper you with unwanted pop-up ads. But it could do much, much more later. “We strongly believe that the malware’s source code is still a work in progress,” the researchers write. They note that the app is evolving over time–that is, whoever created is still making lots of refinements and improvements. The researchers say that within the code there are many references to Jio, India’s largest 4G network, which suggests that the app’s creators may have something nasty in store for Jio users in the future, although whatever it is has yet to be unleashed. In
But even if you’re not on Jio, don’t feel too relaxed. Symantec’s researchers note that the app seems to be targeting people in India, Russia, and the United States. They say once it’s installed, xHelper connects back to a “command and control” (C&C) server somewhere for further instructions. This connection is how the app can continue to evolve and gain new functionality after it’s installed. And, as Symantec researchers note, there’s no way to know what the C&C server will tell xHelper to do next. “We believe the pool of malware stored on the C&C server to be vast and varied in functionality, giving the attacker multiple options, including data theft or even complete takeover of the device,” they write.
Yikes. But the really scary thing about xHelper is that once you have it, there’s no known way to get rid of it. Symantec calls it “persistent” malware which in this case is something of an understatement. The company posted screen shots of forums where users reported that the app came back even after they’d manually uninstalled it–which required some digging into the files on their Android devices, since it won’t show up in a list of apps. And some unhappy people report that even performing a factory reset on their devices doesn’t solve the problem, or at least not for long. Soon enough, xHelper reappears. As Symantec notes, this suggests that a second malicious app that works as a system app is downloading and installing xHelper. The researchers say they are currently investigating this possibility.
If you use one or more Android devices, what should you do? The fact that you’ll be stuck with xHelper if you get it means you should do what you can to keep from getting it. The most important thing to avoid is “sideloading” apps–that is downloading apps from anywhere but an official app store such as the Google Play Store or Samsung’s Galaxy Apps Store. Even if there were no such thing as xHelper, it’s probably best for most Android users to only get apps from these official stores in any case, and to be vigilant that websites and existing apps aren’t downloading things you don’t want. And since some infected apps have made their way onto the Google Play Store over the years, I recommend the additional step of only downloading apps that have large numbers of positive reviews going back at least several months. You should also keep up with updates and make sure you have a good antivirus app installed.
Now that Symantec has told the world about xHelper, some observers are hoping Google security experts will do something to stop it, and perhaps they will. In the meantime–as always–being very, very careful is the best strategy.