![\"hack](\"https:\/\/thehackernews.com\/images\/-jVZMofDSRRo\/Xox7dwcBVFI\/AAAAAAAA2ow\/GHXjvHSoyUEn8FVtxVTJgrt7uqonvtysACLcBGAsYHQ\/s728-e100\/remove-xhelper-malware.jpg\" "\\"xhelper")
<\/a><\/div>\nIn a\u00a0blog post published today, Igor Golovin, malware analyst at Kaspersky, hack android<\/p>\n
finally solved the mystery by unveiling technical details on the persistence mechanism used by this malware,<\/p>\n
and eventually also figured out\u00a0how to remove xHelper<\/b>\u00a0from an infected device completely.<\/p>\n
As the initial attack vector and for distribution,<\/p>\n
the malware app disguises itself as a popular cleaner and speed optimization app for smartphones<\/p>\n
\u2014 affecting mostly users in Russia (80.56%), India (3.43%), and Algeria (2.43%).<\/p>\n
“But in reality, there is nothing useful about it: after installation, the ‘cleaner’ simply disappears and is nowhere to be seen either on<\/p>\n
the main screen or in the program menu. You can see it only by inspecting the list of installed apps in the system settings,” Golovin said.<\/p>\n
Once installed by an unsuspecting user, the malicious app registers itself as a foreground service and,<\/p>\n
then extracts an encrypted payload that collects and sends identity information of the targeted device to an attacker-control remote web server.<\/p>\n
<\/a><\/div>\nIn the next step, the malicious app executes another obfuscated payload that triggers<\/p>\n
a set of Android rooting exploits and attempts to gain administrative access to the device’s operating system.<\/p>\n
“The malware can gain root access mainly on devices running Android versions 6 and 7 from Chinese manufacturers (including ODMs),” Golovin said.<\/p>\n
The malware sits silently on the device and waits for commands from the attackers. hack android<\/p>\n
According to a previous analysis of the same malware by\u00a0Symantec\u00a0researchers,<\/p>\n
it uses SSL certificate pinning to prevent its communication from being intercepted.<\/p>\n
“The malware installs a backdoor with the ability to execute commands as a superuser.<\/p>\n
If the attack succeeds, the malicious app then abuses root privilege to silently install<\/p>\n
xHelper by directly copying malicious package files to the system partition (\/system\/bin folder) after re-mounting it in the write-mode.<\/p>\n
“All files in the target folders are assigned the immutable attribute,<\/p>\n
which makes it difficult to delete the malware because the system does not allow even superusers to delete files with this attribute,” Golovin said.<\/p>\n
to permanently delete the malware file, xHelper also modifies a system library (libc.so)<\/p>\n
intending to prevent infected users from re-mounting system partition in the write mode.<\/p>\n
“On top of that, the Trojan downloads and installs several more malicious programs,<\/p>\n
and deletes root access control applications, such as Superuser,” Golovin said.<\/p>\n
According to Kaspersky, replacing the modified library with the one from the original firmware for your Android smartphone<\/p>\n
could re-enable mounting system partition in the write-mode to permanently remove\u00a0xHelper Android malware.<\/p>\n
However, instead of following such a tech-savvy procedure to get rid of the malware,<\/p>\n
affected users are advised to simply re-flash their backdoored phones with a fresh copy of firmware<\/p>\n
downloaded from the vendors’ official website or by installing a different but compatible Android ROM.<\/p>\n
You may Also like to read:<\/p>\n
http:\/\/zerothcode.com\/blog\/wi-fi-vulnerability-affects-billion\/<\/a><\/p>\n Remember xHelper? hack android A mysterious piece of Android malware that re-installs itself on infected devices even after users delete<\/p>\n","protected":false},"author":1,"featured_media":788,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[160,1010,495,1014,1009,175,1003,1013,1002,1016,425,71,1008,69,1011,1012,936,1007,170,1004],"class_list":["post-785","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=785"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/785\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/788"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=785"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}