A widespread Android malware targeting mostly U.S. phones used a clever trick to re-infect one of their targets, which stunned the researchers how exactly it was pulled.
xHelper came to light last May when a researcher from the security firm Malwarebytes released this short profile. Three months later, Malwarebytes provided more in-depth analysis after xHelper's Android antivirus app found on 33,000 devices in the United States, making the malware one of the biggest threats to Android. Encryption and heavy obfuscation made analysis difficult, but Malwarebytes researchers finally concluded that the malware's primary purpose was to act as a back door that could receive commands remotely and install other apps.
On Wednesday, Malwarebytes published a new post that described the length of an Android user who had rid their device of the malicious app. In short, every time she removed two xHelper variants from the device, the malware reappeared on her device within an hour. She reported that even a factory reset wasn't enough to make the malware go away.
The company's researchers initially suspected that pre-installed malware was the culprit. They eventually dropped this theory after the user ran a technique that prevented system apps from running. Malwarebytes analysts later saw the malware, which indicated that Google Play was the source of the new infections, but ruled out this possibility after further investigation.
Finally (and using the Android user), the company's researchers finally identified the source of the new infections: multiple folders on the phone that contained files that installed xHelper when it ran. All folders started with the string com.mufc. To the researchers' surprise, these folders were not removed, even though the user had reset the device to the factory settings.
"This is by far the worst infection I've encountered as a mobile malware researcher," wrote Nathan Collier of Malwarebytes on Wednesday. “Usually a factory reset, which is the last option, fixes even the worst infection. I don't remember that an infection persisted after a factory reset unless the device came with preinstalled malware. "
An Android application package (APK) was hidden in a directory called com.mufc.umbtts, which deleted an xHelper variant. The variant in turn dropped more malware within seconds. With this, xHelper again threatened the user's device. The user finally frees his device from the malware after using an Android file manager to delete the Mufc folders and all their contents. Because the malware somehow identified Google Play as the source of the infection, Collier recommends that people in a similar position turn off the Google Play Store app before removing the folders.
Collier is still not sure how the Mufc folders were on the phone at all or why they weren't deleted when the factory settings were reset. In October, security firm Symantec also reported that users complained that the factory reset didn't kill xHelper, but the company's researchers couldn't explain why. According to Collier, an xHelper variant installed the folders and displayed them as an SD card that was not affected by the factory reset (the user reported that his device did not have an SD card).
"I assumed files / directories were removed after a factory reset, but this proves that some things can be left over," Collier wrote in an email. "There are still many unknowns with this. We are just happy to have a solution for our customers who may be struggling with this infection. "