Xhelper malware


Active Member
It would seem that a new kind of malware has popped up, one that is difficult to get rid of and of which is primarily targetting Android OS. Known as "Xhelper."

It seems the malware cannot be removed by conventional means with the endurance to remain behind in spite of hard measures, such as factory resetting the device. It appears to do this by re-downloading itself after deletion (common in mobile malware)

Symantec is uncertain as to how the malware is spreading exactly but it has at this stage infected some 45,000 devices with most cases being in Russia, the US and India. Symantec has raised the possibility that it could be utilised to carry out some kind of attack, though this was only in passing. The current trend is ~131 devices infected per day. It has the potential to download additional payloads to the device but at this stage seems to be making use of mobile pop up ads.

Excerpt from Symantec report:

-- "We strongly believe that the malware’s source code is still a work in progress. For example, we spotted many classes and constant variables labeled as “Jio”, indicating possible future interest in Jio users, the largest 4G network in India. However, we have no evidence that Jio users are at risk at this time." - -

Interestingly I have found a quick report on a malware known as "xhelper.dll" that targets Windows OS. It does not appear quite as advanced but is still listed as having an 81% chance to be dangerous. It may just be a coincidence, but worth mentioning.

Symantec has given some guidelines to stay scrubbed:

- Keep software up to date.
- Don't download from unfamiliar sites.
- Only download from trusted sources.
- Pay close attention to the permissions requested by apps.
- Install some kind of mobile security.
- Make frequent backups.


This New Android Malware Can Survive a Factory Reset

New 'unremovable' xHelper malware has infected 45,000 Android devices | ZDNet

xhelper.dll Windows process - What is it? (interesting connection)

Xhelper: Persistent Android dropper app infects 45K devices in past 6 months (official Symantec update/report)

Threat Intelligence | Symantec Blogs (updates on issue directed here by Symantec)

Stay clean...