Thousands of Android users have been complaining online about a malicious app that hides itself, downloads other threats, and displays ads on the infected devices, and reinstalls itself even after users delete it from their devices.
According to a report published by Symantec, the malicious app packed with the malware, named Xhelper, has infected more than 45,000 Android devices in the last six months and is continuing to infect 2,400 devices on an average each month. Symantec stated the malicious app mainly targeting mobile users in India, U.S., and Russia.
Though Symantec didn’t find the exact source of the malicious app, it did suspect that the malicious app was pre-installed on Android devices from certain brands.
Once launched, the malware connects to its remote command-and-control server over an encrypted channel and downloads additional payloads like clickers, droppers, and rootkits on the infected Android devices.
“None of the samples we analyzed were available on the Google Play Store, and while it is possible that the Xhelper malware is downloaded by users from unknown sources, we believe that may not be the only channel of distribution,” Symantec said in its report. “From our telemetry, we have seen these apps installed more frequently on certain phone brands, which leads us to believe that the attackers may be focusing on specific brands.”
“However, we believe it to be unlikely that Xhelper comes preinstalled on devices given that these apps don’t have any indication of being system apps,” the report added.
Symantec urged Android users to take simple precautions like, keeping devices and apps up-to-date, avoiding app downloads from unfamiliar sources, paying attention to the permissions requested by apps, frequently back up data and installing a good antivirus app that protects against malware and similar threats.
A similar research from Kaspersky revealed an ongoing Android malware campaign dubbed ViceLeaker that has been active since 2016. According to Kaspersky, a hacker group has been found targeting Israel citizens and other Middle East countries with surveillance malware named Triout. The malware is designed to steal sensitive information, including call recordings, text messages, photos, videos, and location data without users’ knowledge.
Apart from spying features, the malware also has backdoor capabilities, including upload, download, delete files, record surrounding audio, takeover camera, and make calls or send messages to specific numbers, according to the researchers.
