Malicious ‘Xhelper’ Android app infects 45,000 devices in six months

30 Oct 2019

Image: © Aleksei/

Researchers have noted that the malware, which can hide on a victim’s phone and re-install itself after being removed, has proven to be particularly persistent.

Symantec researchers have noted that Xhelper, an Android malware application component, has installed itself on 45,000 unsuspecting devices in the past six months, primarily affecting users in India, the US and Russia.

The team observed a “surge” in detections for the malware, which can hide itself from users by not showing up on a system’s launcher.

“The app is persistent,” the report explained. “It is able reinstall itself after users uninstall it and is designed to stay hidden. This makes it easier for the malware to perform its malicious activities undercover.”

Users posting on forums about Xhelper have complained about random pop-up advertisements and noted that the malware keeps re-appearing even after users have removed it.

Since it has no app icon, the malware cannot be launched manually, instead being launched by external events such as when the infected device is connected to or disconnected from a power supply. The app component can also be triggered when the device is rebooted, or when an app is installed or uninstalled.

“Once launched, the malware will register itself as a foreground service, lowering its chances of being killed when memory is low. For persistence, the malware restarts its service if it is stopped; a common tactic used by mobile malware,” the report added.

Once the malware takes root and successfully connects to an attacker’s command and control (C&C) server, it will start installing additional malicious applications such as droppers, clickers and rootkits. “We believe the pool of malware stored on the C&C server to be vast and varied in functionality, giving the attacker multiple options, including data theft or even complete takeover of the device.”

‘A work in progress’

Xhelper apps were first observed in March 2019, albeit in more rudimentary forms. Back then, the code’s main function was to direct traffic to monetised advertisement pages. It has since become more sophisticated, according to the report.

Symantec’s researchers believe that the malware’s source code is still “a work in progress”, as evidenced by classes and constant variables labelled as ‘Jio’ – a 4G network in India that “attackers may be planning to target”, they said.

None of the samples that Symantec analysed were available on the Google Play store. Given that Xhelper affects some phone brands more than others, the team suspect attackers may be focusing on these brands, though think it is unlikely that it comes pre-installed on devices.

Symantec has warned users to take precautions such as keeping software up to date, not downloading apps from unfamiliar sites or untrusted sources, and paying close attention to permissions requested by apps.

Eva Short was a journalist at Silicon Republic