'Unkillable' Android Malware May Provide Ongoing Access to Personal Info, Security Researchers Warn

A research team at Kaspersky laboratory has warned Android users about hacking malware that can be inadvertently downloaded with popular “cleaner” or “speed-up” apps and then proceeds to gain access to all the information on a user’s phone, as well as downloading other malicious files. It is also almost impossible to get rid of, which makes it “unkillable”, according to Kaspersky Lab.

The malware, which was dubbed xHelper Trojan, has been active since last year, and security researchers have been studying the mechanisms behind its survivability. They found out that once xHelper is downloaded onto the phone with a cleaner app, it disappears from the menu and is nowhere to be found, unless specifically looked for in the list of installed apps.

The Trojan encrypted in the malware then starts spying on your phone and sends all the personal information to the attacker. It also downloads the next set of malicious files in a so-called “matryoshka-style” scheme – a layout resembling popular Russian doll. The files are then stored “sequentially” in the phone and the trail to them is obscured. According to the researchers, Android versions 6 and 7 from Chinese manufactures are the ones more affected by the malware’s ability to gain “root access” to the phone.  

“Using a smartphone infected with xHelper is extremely dangerous. The malware installs a backdoor with the ability to execute commands as a superuser. It provides the attackers with full access to all app data and can be used by other malware too, for example, CookieThief”, warns Igor Golovin, a security researcher at Kaspersky lab.

Deleting xHelper then does not help to disinfect the system at all, as app and other malicious files will be “reinstalled” to the phone thanks to an accompanying Trojan programme. Only completely “reflashing” the phone may help to finally get rid of the malicious attacker, but not always, the security expert explains.

“Bear in mind too that the firmware of smartphones attacked by xHelper sometimes contains preinstalled malware that independently downloads and installs programs (including xHelper). In this case, reflashing is pointless, so it would be worth considering alternative firmwares for your device”, Golovin concludes.

Downloading apps from the official Google Play Store may help to prevent users from installing malicious apps. However, it was reported last September that at least 24 popular Android apps, including "Antivirus Security - Security Scan", were infected with malware which secretly signed its users up for paid subscription services. 

In January, a number of organisations sent an open letter to Google, urging the company to protect mobile phone users from “exploitative” apps which are pre-installed on Android devices.