(Photo: from the web)
Over the past six months, a new kind of Android malware named xHelper has reportedly infected more than 45,000 Android devices on which the malware can reinstall itself even after being manually removed.
The malware was first spotted in March but slowly expanded to infect more than 32,000 devices by August, and eventually it made its way to a total of 45,000 devices, according to Symantec.
xHelper code changed over time
This is the latest security alert on Android phones.
Those affected were mostly users in India, the US and Russia. Symantec observed “a surge in detections” of the malicious Android malware that can hide itself from users, download additional malicious apps, and display advertisements.
Symantec said in a blog posted on Tuesday:
In the past month alone, there was an average of 131 devices infected each day, and an average of 2,400 devices persistently infected throughout the month,
Back in March when it was first seen, the malware’s code was relatively simple, and its main function was visiting advertisement pages for monetization purposes.
The code has changed over time. Initially, the malware’s ability to connect to a C&C server was written directly into the malware itself, but later this functionality was moved to an encrypted payload, in an attempt to evade signature detection, according to Symantec.
Some older variants included empty classes that were not implemented at the time, but the functionality is now fully enabled. Xhelper’s functionality has expanded drastically in recent times, the post said.
How to avoid being affected
According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps.
These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.
But good news is the trojan doesn't carry out destructive operations, according to Malwarebytes and Symantec. For most of its operational lifespan, the trojan has shown intrusive popup ads and notification spam.
The ads and notifications redirect users to the Play Store, where victims are asked to install other apps -- a means through which the xHelper gang is making money from pay-per-install commissions.
In order to avoid being affected, Symantec advises sers to take the following precautions:
- Keep your software up to date.
- Do not download apps from unfamiliar sites.
- Only install apps from trusted sources.
- Pay close attention to the permissions requested by apps.
- Install a suitable mobile security app, to protect your device and data.
- Make frequent backups of important data.