Android Trojan xHelper uses persistent re-infection tactics: here’s how to remove

We first stumbled upon the nasty Android Trojan xHelper,  a stealthy malware dropper, in May 2019 www.avg.com/activate. By mid-summer 2019, xHelper was topping our detection charts—so We wrote a article about it After the blog, we thought the case was closed on xHelper. Then a tech savvy user reached out to us avg internet security in Install Avg With License Number activation early January 2020  avg antivirus free on the Malwarebytes support forum avg.com/retail    :

“I have a phone that is infected with the xhelper virus. This tenacious pain just keeps coming back.”

“I’m fairly technically inclined so I’m comfortable with common prompt or anything else I may need to do to make this thing go away so the phone is actually usable!”

— forum user misspaperwait, Amelia

Indeed, she was infected with xHelper. Furthermore,Malwarebytes for Androidhad already successfully removed two variants of xHelper Install Avg With License Number activation and  avg antivirus free a Trojan agent from her mobile device. The problem was, it kept coming back within an hour of removal. xHelper was re-infecting over and over again.

If it wasn’t for the expertise and persistence of forum patron Amelia, we couldn’t have figured this out. She has graciously has allowed us to share her journey avg.com/retail    

All the fails

Before we share the culprit behind this xHelper re-infection, I’d like to highlight the tactics we used to investigate the situation, including the many dead ends we hit prior to figuring out the end game. By showing the roadblocks avg internet security we encountered avg antivirus free we demonstrate the thought process www.avg.com/activate and complexity behind removing malware so that others may use it as a guide. 

Clean slate

First off, Amelia was clever enough to do a factory reset before reaching out to us. Unfortunately, it didn’t resolve the issue, though it did give us a clean slate to work with. No other apps (besides those that came with the phones) were installed besides Malwarebytes for Android, thus, we could rule out an Install Avg With License Number activation infection by prior installs (or so we thought).

We also ruled out any of the malware avg.com/retail     having device admin rights, which would have prevented our ability to uninstall malicious apps  avg antivirus free. In addition, we cleared all history and cache www.avg.com/activate on Amelia’s browsers avg internet security, in case of a browser-based threat, such as a drive-by download, causing the re-infection.

The usual suspect: pre-installed malware

Since we had a clean mobile device and it was still getting re-infected, our first assumption was that pre install malware was the issue. This assumption was fueled by the fact that the mobile device was from a  lesser known manufacturer, which is often the case with pre-installed malware.  So Amelia tested this theory by going through the steps to run  Android bridge drugged command to her mobile device. 

With adb command line installed and the mobile device plugged into a PC, we used the workaround of uninstalling system apps for current user. This method renders system apps useless even though they still technically reside on the device  avg antivirus free

Starting with the most obvious to the least, we systematically uninstalled suspicious system apps, including the mobile device’s www.avg.com/activate system updater and avg internet security an audio app with hits on VirusTotal, a potential indicator avg.com/retail     of maliciousness.  Amelia was even able to grab various apps we didn’t have in our Mobile Intelligence System to rule everything out Install Avg With License Number activation. After all this, xHelper’s persistence would not end

Triggered: Google PLAY

We then noticed something strange: The source of installation for the malware stated it was coming from Google PLAY. This was unusual because none of the malicious apps downloading on Amelia’s phone were on Google PLAY. Since we were running out of ideas, we disabled Google PLAY. As a result, the re-infections stopped

We have  seen important pre installed  system apps with malware in the past. But Google PLAY itself!? After further analysis, we Install Avg With License Number activation determined that, no, Google PLAY was not infected with malware. However, something within Google PLAY was triggering the re-infection—perhaps something that www.avg.com/activate was sitting avg internet security in storage. Furthermore, that something could also be using Google PLAY as a avg.com/retail     smokescreen, falsifying it as the source of   avg antivirus free malware installation when in reality, it was coming from someplace else.

In the hopes that our theory held true, we asked Amelia to look for suspicious files and/or directories on her mobile device using a searchable file explorer, namely, anything that started with com.mufc., the malicious package names of xHelper. 

Comments

Post a Comment

Popular posts from this blog

Stateful vs. Stateless Firewall Differences

Image
Protecting business networks has never come with higher stakes.  the average of stolen files containing sensitive proprietary information has risen to $148 each. When you consider how many files cybercriminals may get away with in a given attack, the average price tag of $3.86 million per data breach begins to make sense.  Given that, it’s important for managed services providers (MSPs) to understand every tool at their disposal when protecting customers avg internet security against the full range of digital threats. While each client will have www.avg.com/activate different needs based on the nature of their business, the configuration of their digital environment avg.com/retail   , and the scope of their work with Install Avg With License Number activation your team, it’s imperative that they have every possible defense against increasingly malicious bad actors.  Computer firewalls are an indispensable piece ofnetwork protection. By protecting networks against persistent threats, c
Read more

AVG and Avast merge together with shareholder payments

Image
The Enterprise Court found that EUR 22.84 (being the offer price of USD 25.00 converted into EUR against the  www.avg.com/activate   exchange rate of October 31, 2016) is the fair squeeze-out price per share in AVG and ordered all  Install Avg With License Number activation  minority  avg.com/retail  shareholders of AVG to transfer their shares to Avast in exchange for a payment of EUR 22.84 per share in cash, increased by statutory interest to be calculated  www.avg.com/activation  over  avg.com/activation  the period from October 31, 2016 until the date of transfer of the shares. Up until March 15, 2017, shareholders of AVG may voluntarily adhere to the judgment of the Enterprise Court by transferring  avg.com/retail  their shares in AVG to Avast. Shareholders should contact their bank  Install Avg With License Number activation , broker  avg.com/activation    www.avg.com/activation  or other financial intermediary to obtain information  www.avg.com/activate  on how to transfer their
Read more

Reasons You Should Upgrade to Windows 10

Image
you won't have any choice but to upgrade to  Windows 10 —unless you want to lose security updates and support. The Windows 7 faithful have nothing to fear, though; Windows 10 isn't much of a  avg.com/retail      paradigm shift from the now-decade-old OS. And in my experience (and that of many I know)  avg antivirus free  avg internet security   Install Avg With License Number activation , it's been pretty delightful to use . Things like Windows Hello face login, clipboard history, touch-screen support,  multiple virtual desktops, Quick Access in File Explorer, Cortana voice assistant, and even the  Edge browser   improve my daily computing. Sure, those few souls who depend  www.avg.com/activate  on Windows Media Center for their home entertainment will be disappointed to find it gone in Windows 10, and some may be running very ancient software that's  avg.com/retail      not compatible with the updated OS.privacy   is another issue, but you can disable usage reporting (
Read more