Xhelper: Persistent Android dropper app infects 45K devices in past 6 months (Oct 30, 2019)
A new Android malware called “Xhelper”, has been found to be downloaded in excess of 45,000 times since March of this year and countries affected include India, Russia, and U.S.A, according to Symantec researchers. Xhelper has persistent capabilities to remain on the device even after it is uninstalled manually. With Xhelper’s command and control capabilities, it allows the threat actor to download and execute additional payloads. It is believed by Symantec researchers that the malware is still under development with many more functions not yet implemented.
Recommendation: No Xhelper samples were discovered via the Google Play Store which raises the likelihood of it being downloaded from unknown and untrustworthy sources. It is because of this strong likelihood that ll applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.