November 11, 2019

xHelper

Entry Type
Security Guidance
Threat Type
Malware
Platform(s) Affected
Android
Platform(s) Affected
Security Guidance
Malware
Android

Lookout Coverage and Recommendation for Admins

Lookout Mobile Endpoint Security (MES) and App Defense SDK both provide full coverage of Xhelper and to protect customers against it. The SDK will prevent devices with Xhelper from logging into the integrated customer app, while MES admins can build application-based policies in the platform that will alert both the admin and the end user when they install a trojanized application. This allows them to build in customized remediation tactics to ensure corporate data stays protected. Devices with Lookout installed have been protected against Xhelper apps since September 2019 (some under NecroDrop), and Lookout will continue to research this family and update detection capabilities with its findings.

Overview

Xhelper is a new malicious Android dropper app that has infected roughly 45,000 devices in the past six months, with some users reporting that the app reappears on the device, even after the user deletes the app. Additionally, it has the potential to be used to deploy second-stage malware payloads with dangerous capabilities such as stealing user login information, keylogging, deploying ransomware, and bypassing MFA with SMS interception. The majority of victims have been targeted in India, the United States, and Russia.

How Does it Work?

Xhelper can be launched by a variety of external events on the device such as installing an app, connecting to a power supply, or rebooting the device. Once the core functionality is carried out and malicious payload is decrypted to memory, it connects to the C2 server and waits for commands from the attacker. In order to make sure communications between the device and the C2 server remain uninterrupted, SSL certificate pinning is used for all communication, and the server grants the malicious actor a variety of data theft and device takeover options with which to attack the device.

Once the trojan gains access to the target device, Xhelper registers itself as a separate standalone service. It has been reported by some users that the app reappears on the device after it has been uninstalled, though Lookout has not observed this behavior. It’s unclear how Xhelper would be able to do this, even if the user spots Xhelper in the Android OS Apps part of the device and removes it manually. The code behind this malware is constantly being updated and shipped out, meaning that it will continue to evolve.

Lookout Coverage and Recommendation for Admins

Lookout Mobile Endpoint Security (MES) and App Defense SDK both provide full coverage of Xhelper and to protect customers against it. The SDK will prevent devices with Xhelper from logging into the integrated customer app, while MES admins can build application-based policies in the platform that will alert both the admin and the end user when they install a trojanized application. This allows them to build in customized remediation tactics to ensure corporate data stays protected. Devices with Lookout installed have been protected against Xhelper apps since September 2019 (some under NecroDrop), and Lookout will continue to research this family and update detection capabilities with its findings.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats

New

September 15, 2023

Scattered Spider

Scattered Spider, aka UNC3944, was able to successfully target and gain access to the infrastructure of Caesars Entertainment in its latest campaign

September 19, 2023

CVE-2023-4863

September 18, 2023

ASPL 2023-09-01 / CVE-2023-35674