This story was originally published and last updated .
Earlier this year, a story made the rounds about a new kind of malware afflicting Android handsets. But it was this malware's pernicious nature that really made headlines, as it could even survive complete factory resets on afflicted phones. This insidious malware was named xHelper. At the time, we didn't know how it managed this impressive (but scary) achievement, but security researchers at Kaspersky have since dug into its inner workings, revealing an incredibly sophisticated system that installs itself to an Android phone's system partition, and even changes how the system works to prevent it from being "easily" removed.
The details come courtesy of a Kaspersky researcher (spotted by Ars Technica), who discovered that the malware downloads a rootkit that primarily affects Android versions 6-7 — somehow affecting Chinese phones more than others. Once it has root privileges, it directly installs malware to the system partition that is capable of re-infecting the phone at any time, and it's especially pernicious and difficult to remove.
That's because usually the system partition can't be written to. During normal system operation, it's mounted as read-only, so a user can't simply uninstall an app to get rid of all the malware's many tendrils, it's buried deep inside together with the components your phone needs to work. Furthermore, the files the malware writes are given an additional immutable attribute, so even a rooted user in the know can't easily muck them out. But that's not the only trick up xHelper's sleeve, it also modifies an internal Android system library (libc) to disable mounting the system partition in write mode at all, and outright uninstalls root-friendly apps like Superuser that might make the process a little easier.
You can remove the malware via recovery — either by completely reflashing the device with stock images or through a more tedious replacement of the compromised system components for manual removal — but even then, some of the factory images for these cheap Chinese devices come loaded with malware which simply pulls down xHelper all over again. The only real way to win in that case is to flash a more secure ROM (if one is even available) or replace the phone.
Previously Malwarebytes claimed that the Play Store was somehow serving as an avenue of xHelper's reinfection, though concrete proof regarding those claims was never surfaced, and a Google representative couldn't confirm Malwarebytes' theories when we spoke to them earlier this year.
Estimates for the number of affected phones infected by xHelper previously ranged from around 45,000 to 33,000, but again, only devices running older, less secure versions of Android should be susceptible to the rootkit exploits used. (If you're using such an Android phone, please try to upgrade to something more secure if you can, it's in your best interests.) Odds are you aren't affected, but it's still fascinating to see the level of ingenuity used by malware these days.
- Ars Technica