Xhelper is malware targeting Android devices. While initially its functionality was limited to generating ad clicks for its operators, according to a Symantec report, the malware now has significantly greater functionality.
The source of the infections is currently unknown, though third-party app stores and other download sites may account for the infections, Symantec believes there may be other channels involved in the distribution. Xhelper does not install an icon on infected devices so it doesn’t appear on a device’s launcher and is triggered by events such as an app being installed or a device being rebooted.
Xhelper is persistent and is capable of restarting its service if stopped, and reinstalling itself if uninstalled. When installed, Xhelper decrypts and loads its payload into memory. It also connects to its C&C server secured using SSL certificate pinning. Xhelper can also download additional payloads which may include droppers and rootkits.
None of the samples analyzed were available on the Google Play Store, and while it is possible that the Xhelper malware is downloaded by users from unknown sources, we believe that may not be the only channel of distribution.
According to Symantec, at least 45,000 devices have been impacted by the Xhelper malware. In the past month alone, there was an average of 131 devices infected each day, and an average of 2,400 devices persistently infected throughout the month. The malware mostly affects users in India, the U.S. and Russia.