Nasty Android malware reinfects its targets, and no one knows how
Enlarge

reader remarks

37
with 28 posters getting involved, consisting of story author

A commonly flowing piece of Android malware mostly targeting US-based phones utilized a smart technique to reinfect one of its targets in a task that puzzled scientists regarding exactly how it was managed.

When a scientist from security company Malwarebytes released this quick profile,

xHelper came to light last May. 3 months later on, Malwarebytes supplied a much deeper analysis after the business’s Android anti-virus app identified xHelper on 33,000 gadgets mainly situated in the United States, making the malware one of the top Android dangers. The file encryption and heavy obfuscation made analysis hard, however Malwarebytes scientists eventually concluded that the main function of the malware was to serve as a backdoor that might from another location get commands and install other apps.

On Wednesday, Malwarebytes released a brand-new post that stated the lengths one Android user required to rid her gadget of the harmful app. In other words, each time she eliminated 2 xHelper variations from the gadget, the malware would come back on her gadget within the hour. She reported that even carrying out a factory reset wasn’t enough to make the malware disappear.

Blind streets

Business scientists at first thought that pre-installed malware was the perpetrator. They ultimately dropped that theory after the user carried out a strategy that avoided system apps from running. Malwarebytes experts later on saw the malware suggesting that Google Play was the source of the reinfections, however they eliminated this possibility after more examination.

Ultimately (and with the aid of the Android user), business scientists lastly recognized the source of the reinfections: numerous folders on the phone which contained files that, when carried out, set up xHelper. All of the folders started with the string com.mufc. To the scientists’ surprise, these folders weren’t gotten rid of despite the fact that the user carried out a factory reset on the gadget.

“This is by far the nastiest infection I have encountered as a mobile malware researcher,” Malwarebytes’ Nathan Collier composed in Wednesday’spost “Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware.”

Malwarebytes

Surprise inside a directory called com.mufc.umbtts was an Android application plan, or APK, that dropped an xHelper variation. The variation, in turn, dropped more malware within seconds. And with that, xHelper when again alarmed the user’s gadget. The user lastly rid her gadget of the malware after utilizing an Android file manager to erase the mufc folders and all their contents. Since the malware was in some way determining Google Play as the source of the reinfection, Collier suggests individuals in a comparable position disable the Google Play Store app prior to eliminating the folders.

Collier still isn’t sure how the mufc folders concerned live on the phone in the first location or why they weren’t erased throughout factory reset. In October, security company Symantec likewise reported that users were grumbling that factory resets didn’t eliminate xHelper, however business scientists were likewise not able to discuss why. One theory, Collier stated, is that an xHelper alternative set up the folders and made them look like an SD card that wasn’t impacted by the factory reset (the user reported that her gadget didn’t have an SD card).

“I was under the assumption that files/directories were removed after a factory reset, but this proves that some things can be left over,” Collier composed in an e-mail. “There are still a lot of unknowns with this one. We’re just glad to have a resolution for our customers who may be struggling with this infection.”

Similar Posts

Leave a Reply