xHelper: The Russian Nesting Doll of Android Malware

Ultimately delivering the Triada payload, xHelper goes to great lengths to become virtually indestructible once installed on a smartphone.

The “undeletable” xHelper malware – which ultimately results in the installation of the Triada trojan – has become a virulent scourge for Android devices this year, according to researcher analysis – bringing with it a hallmark of being virtually indestructible for the common user.

xHelper is known for its persistence – it stays entrenched on the phone even if the device has been restored to factory settings by secretly re-installing itself. First spotted last year, researchers said they have observed ongoing surges in detections of the malware, which hides itself from users, downloads malicious apps onto the phone and displays pop-up advertisements.

According to analysis by Kaspersky, the latest sample of xHelper uses a Russian nesting-doll type architecture to worm its way into the heart of Android devices.

A Sequential Approach to Persistence

The infection chain starts by convincing a victim to download a rogue trojanized app – in this case, xHelper is embedded in an app that masquerades as a popular cleaner and speed-up utility for smartphones, according to an analysis published on Tuesday.

After installation, the supposed cleaner is listed as one of the installed apps in the system settings, but otherwise disappears from the victim’s view – there’s no icon present and it doesn’t show up in search results.

But according to Igor Golovin, research analyst at Kaspersky, a payload is decrypted in the background whose task it is to fingerprint the victim’s phone, including the unique user ID, manufacturer, model, firmware version and so on. The malware sends that off to a remote server and then starts unpacking a dropper-within-a-dropper-within-a-dropper – thus evoking the aforementioned nesting dolls (which are known as matryoshka in Russian).

Specifically, the fingerprinting module fetches one dropper (i.e., a downloader), which has its own bundled library that it uses to run itself, according to the analysis. This self-contained module has the sole task of launching yet another dropper, called “Helper.” But it doesn’t stop there – there’s another dropper, called Leech, nested inside the Helper downloader, which is then executed.

“Malicious files are stored sequentially in the app’s data folder, which other programs do not have access to,” explained Golovin. “This matryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are known to security solutions.”

The final downloader, Leech, then swings into action by installing the Triada trojan, whose chief feature is a set of exploits for obtaining root privileges on the victim’s device.

“The malware can gain root access mainly on devices running Android versions 6 and 7 from Chinese manufacturers (including ODMs),” said Golovin. “After obtaining privileges, xHelper can install malicious files directly in the system partition.”

He went on to explain that the system partition for Android devices is typically mounted at system startup in read-only mode. Triada sets about altering that.

“Armed with root rights, the trojan remounts [the system partition] in write mode and proceeds to the main job of starting the tellingly named script ‘forever.sh,'” wrote Golovin.

At the same time, he said, Triada copies several executable files to the /system/bin folder, and it inserts code to make sure that a call to them is initiated at system startup.

“All files in the target folders are assigned the immutable attribute, which makes it difficult to delete the malware, because the system does not allow even superusers to delete files with this attribute,” Golovin said.

The result of all of this is that even if the user thinks they’re deleting the malware, the files are ensconced in the system partition and reinstall themselves upon boot-up, even after a factory reset.

The trojan’s authors also anticipated that infected users may try to remount the system partition themselves in order to delete the malware – but the researcher said that Triada’s creators modified the system library “/system/lib/libc.so” to prevent that.

“This library contains common code used by almost all executable files on the device,” according to Golovin. “Triada substitutes its own code for the mount function (used to mount file systems) in libc, thereby preventing the user from mounting the /system partition in write mode.”

And finally, once it’s established persistence, the Triada trojan downloads and installs several more malicious programs.

“The malware installs a backdoor with the ability to execute commands as a superuser,” the researcher wrote. “It provides the attackers with full access to all app data and can be used by other malware too, for example, CookieThief.”

Deleting xHelper

In terms of how to rid a phone of the highly persistent malware, Golovin pointed out that there are options.

Also, “if you have ‘recovery’ mode set up on your Android smartphone, you can try to extract the libc.so file from the original firmware and replace the infected one with it, before removing all malware from the system partition,” he said. “However, it’s simpler and more reliable to completely reflash the phone.”

He added that users could also install alternative firmware from third parties on the device – bearing in mind that some of the device’s components might not operate properly.


Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.