
New 'unremovable' xHelper malware has infected 45,000 Android devices - tzm
https://www.zdnet.com/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/
======
paulmd
Wonder if it's written itself into recovery. Or the SIM card/baseband - SIM
card in particular usually includes functionality for triggering a sideload of
apps (eg for carrier apps), sending notifications, etc into the main SOC so it
fits. Maybe the second instance of SIM card malware ever.

[https://www.youtube.com/watch?v=31D94QOo2gY](https://www.youtube.com/watch?v=31D94QOo2gY)

There are only so many places it can be hiding if it's surviving a factory
reset.

\--Guy who is undoubtedly vastly underestimating the problem given that it's
resisted AV vendors for a while

~~~
morbm
I'd wager that the firmware came pre-infected by the manufacturer (or an
update to the firmware has the infection).

Based on the reddit thread at least one of the devices is from a no-name
manufacturer.

[https://www.reddit.com/r/antivirus/comments/bj6isa/xhelper_k...](https://www.reddit.com/r/antivirus/comments/bj6isa/xhelper_keeps_installing_itself_on_android_phone/)

~~~
walrus01
a not insignificant portion of generic weird mediatek chipset android phones
come rooted from the manufacturer, because the OS is built with a
root/developer configuration. This also helps malware like this spread on the
sub-$80 android phones sold to non technically sophisticated users in the
developing world.

~~~
cptskippy
I remember reading something about mediatek based phones saving on the BOM by
utilizing virtualization on a single SoC to run the baseband RTOS and the
Smartphone OS.

~~~
arcticbull
That’s actually kind of brilliant.

~~~
londons_explore
Until you get bugs like "3D games lag when in fast moving car due to constant
cell handovers" and "4G doesn't work at the same time as playing a 1080p60
video, so netflix/youtube are broken unless on wifi".

~~~
arcticbull
Sure but the phones $80. Getting to that price point requires some
compromises. You’d think they’d also set the baseband VM at highest QOS.

~~~
himlion
I'm currently using a Xiaomi Redmi Go that was a bit less than that and I
think it's remarkable how few compromises it has.

------
walrus01
> The ads and notifications redirect users to the Play Store, where victims
> are asked to install other apps -- a means through which the xHelper gang is
> making money from pay-per-install commissions.

Software publishers which have been proven to be paying out commission money
from "bait and install" app links, for things published in the Play Store,
should have their entire app and developer profile removed with extreme
prejudice.

~~~
altfredd
That's a bold demand, considering that majority of free games in Play Store
monetize themselves via partner installs. For all we know, developers of
involved apps are paying a "legit" advertising company for installs, and
malware authors act as ordinary partners of that company (likely using a bunch
of throwaway accounts).

~~~
walrus01
I don't feel sorry for them, they can continue to monetize themselves through
pay to win lootboxes and pay to win power boosts instead.

------
40four
I'm really confused. How is it possible something like this survives a factory
reset? To be fair, I have a very limited knowledge of hardware like this, but
my assumption is a factory reset should remove EVERYTHING that didn't come on
the phone put of the box.

Some other comments are questioning weather this is happeneing to 'budget'
devices sold by sketchy manufacturers. Would that explain something like this.

I sure as hell hope thats not the case on a phone from reputable manufacturer.
If I can't wipe everything, including malware from my android device by doing
a factory reset, I'm going to throw it in the garbage tomorrow & buy an
iPhone.

~~~
mindslight
Android devices have multiple storage partitions. "Factory reset" generally
refers to wiping the data partitions, but _not_ the system partitions. It does
not mean reflashing the phone's entire storage from an external image as you
would expect.

I would imagine this malware modifies one of the partitions that is not
customarily wiped. And I would expect that doing a proper full reflash from a
computer (eg starting from `fastboot flash bootloader ...`) would remove it,
assuming it wasn't already baked into that image at the manufacturer.

~~~
40four
Thanks for explaining!

~~~
hunter2_
And the "not customarily wiped" partitions are not wiped because they are not
customarily writable in the first place. Rooting a phone by a prominent
manufacturer requires discovering an exploit which overcomes this write
protection. This is why manufacturers try to protect against exploits, and why
you probably shouldn't use a second-hand phone that has known exploits, where
second-hand means touched by basically anyone in even a seemingly-legitimate
supply chain.

~~~
mindslight
> _you probably shouldn 't use a second-hand phone that has known exploits,
> where second-hand means touched by basically anyone_

Clearly unpublished exploits are also bad, meaning this essentially applies to
every phone. That's a pitfall of the closed security paradigm - even if you
are willing to trust the manufacturer, you still can't be sure that their
control has not actually been usurped by some unknown third party.

So you either need to double down and choose the closed system that receives
the highest scrutiny (Apple), or opt for a device that has been opened by the
community for long enough that any stateful hiding places are known.

------
wnevets
>According to Malwarebytes, the source of these infections is "web redirects"
that send users to web pages hosting Android apps. These sites instruct users
on how to side-load unofficial Android apps from outside the Play Store. Code
hidden in these apps downloads the xHelper trojan.

Ok, maybe don't do that?

~~~
Nairus
You never had to deal with an untechnical user, had you?

------
tyingq
Sounds big, but likely paltry compared to active Android devices. That said,
for other reasons that are more compelling, Apple is killing Google on
"captive portal advantages". Google needs to dedicate more resources to both
the PlayStore and the Chrome Extension store for many, many, reasons. They are
not getting the inflection point of their "automation is fine" approach.

In other words, the conclusion is right, but this incident is NOT the selling
point. Ad blockers and manifest V3 is a much better research study into their
stupidity.

~~~
43920
This doesn't really seem like a detection issue, but more of a design issue
that Google needs to fix. Why is an app able to display ads across the system,
even when you aren't running it? And how is it even possible for an app to
make itself uninstallable?

~~~
tyingq
Those are good specific examples that I might have missed. Good point. The
PlayStore is a train wreck that takes a lot of percentage of revenue from apps
and adds little value in return.

Just noting that 45,000 users affected IS NOT the PlayStore failure reference
story. It's bigger than that.

10 million uBlock Origin Chrome users are soon to be abandoned due to Google's
policies. That's way more interesting, and ties the PlayStore issues to the
same Chrome Extension issues.

Apple is credibly watching out for their customers. Google is credibly
watching out for Google. Pretty much unapologetically with little pushback.

Personally frustrating for me as I've been a loyal Android user for a long
time. Almost ready to switch to an iPhone, despite my unfamiliarity and the
much higher price point. Google should pay attention.

------
hans_castorp
Does anyone know if any of the hosts lists from blokada
([https://blokada.org/](https://blokada.org/)) keeps this out?

------
redm
I know IOS isn't perfect, however, when I read articles like this, I just have
to smile. There's something to be said for a tightly controlled platform and
ecosystem.

~~~
benologist
What do you think iOS reviewers were thinking when carefully auditing these
apps -

[https://mashable.com/2017/06/12/apple-app-store-
subcription-...](https://mashable.com/2017/06/12/apple-app-store-subcription-
scams/)

[https://9to5mac.com/2019/10/25/malware-iphone-
apps/](https://9to5mac.com/2019/10/25/malware-iphone-apps/)

[https://www.techtimes.com/articles/235985/20181204/apple-
rem...](https://www.techtimes.com/articles/235985/20181204/apple-removes-
malicious-fitness-apps-that-tricked-users-to-make-touch-id-payments.htm)

[https://www.wired.com/2015/09/apple-removes-300-infected-
app...](https://www.wired.com/2015/09/apple-removes-300-infected-apps-app-
store/)

They get so much wrong, so often, you have to wonder if they really look at
the apps at all or just have some checklist, screenshots and a quota to hit.
They explicitly approved all the garbage practices that Apple Arcade's billing
protects users from.

~~~
dkonofalski
That doesn't feel like the same thing _at all_. A shady developer tricking
people into a subscription because they don't know any better is way different
from malware that reinstalls itself even after a factory reset. People have to
agree to pay for the subscription from an OS-level prompt in the first
instance. They don't have a choice in the 2nd.

~~~
ikt
> A shady developer tricking people into a subscription because they don't
> know any better is way different from malware that reinstalls itself even
> after a factory reset.

A shady developer tricking people and a shady website tricking people result
in bad things.

To get this trojan I'd need to go into settings and tick this box:

[https://q3fb03rfy3f4ahuzu2uy6e11-wpengine.netdna-
ssl.com/wp-...](https://q3fb03rfy3f4ahuzu2uy6e11-wpengine.netdna-ssl.com/wp-
content/uploads/2016/03/sideload-android-apps.png)

Then go to the dodgy website, then download the apk, then install it then
pikachu face when I get a trojan.

And you can talk about how great Apple's security is but to fix this issue all
Google has to do is remove that tick box in settings so no more sideloading
apps.

But that also comes back with drawbacks that I assume an Apple user like
yourself wouldn't know about, because all you know is a walled garden. Sort of
like how Chinese people love the fact their internet is censored. So safe, so
secure.

~~~
Aaargh20318
> And you can talk about how great Apple's security is but to fix this issue
> all Google has to do is remove that tick box in settings so no more
> sideloading apps.

And yet, they don’t.

> But that also comes back with drawbacks that I assume an Apple user like
> yourself wouldn't know about, because all you know is a walled garden.

Funny how Android users keep saying that. I’m an Android developer by
profession, which is why I use an iPhone as my personal phone and would never
recommend an Android device even to my worst enemy. I’ve seen how the sausage
is made and it isn’t pretty. The best thing you can say about Android is that
it’s free, which correctly reflects what it’s worth.

------
Twirrim
45,000 is a trivial number of infections when you consider that there are
2.5bn monthly active Android devices:
[https://venturebeat.com/2019/05/07/android-
passes-2-5-billio...](https://venturebeat.com/2019/05/07/android-
passes-2-5-billion-monthly-active-devices/)

That's what, 0.0018% of devices infected?

~~~
arcticbull
So far?

