A new Trojan dropper dubbed xHelper was observed while slowly but steadily spreading to more and more Android devices since May, with over 32,000 smartphones and tablets having been found infected in the last four months. Trojan droppers are tools used by threat actors to deliver other more dangerous malware strains to already compromised devices, including but not limited to clicker Trojans, banking Trojans, and ransomware.
xHelper, dubbed Android/Trojan.Dropper.
A new Android Trojan dubbed xHelper has slowly been spreading to over 32,000 devices since May. The trojan dropper is used to deliver more dangerous forms of malware#trojan #android #xhelper #malware #infosec #cybersecurityhttps://t.co/7QmKLm2hci pic.twitter.com/IvbNMOX2lC
— SecurityTrails (@securitytrails) August 29, 2019
Trojan droppers are commonly used in Android malware due to their effectiveness in sneaking malicious content past anti-virus or intrusion prevention systems. Malware authors do this by shipping obfuscated or encrypted code within opaque application resource files. This would typically be bundled into a functional app along with checks to recognize when it is “safe” for the trojan to come out of hiding.
Kaspersky has also reported today that an app with 100M downloads, CamScanner, has been compromised with a Trojan dropper as well:
In this case, the app was very popular and had largely positive reviews for several years until users suddenly started reporting intrusive advertising and other undesirable behavior. Kaspersky researchers manually reviewed the application based on these reviews and found that a library had been added containing a dropper they had identified.
It is entirely unclear at this point what the source of the infection was, but apparently releases between June 17 and July 25 2019 were all compromised. It is possible that the developer’s source code was compromised by an outsider or that they had used a compromised toolkit reminiscent of the XCodeGhost malware on iOS. Another possibility is that the app’s authors were simply paid to include a new advertising library which they may or may not have known to be malicious.
This should be generally concerning for not just Android users, but frankly users of all platforms receiving automatic updates from 3rd party developers. Although it may be possible at one point in time to feel confident that an app or a company is legitimate, there is always the risk that the source code supply chain may become compromised thereby enabling exploitation of large existing install bases. Users of CCleaner for Windows will certainly agree that this is very dangerous territory. (Avast’s download servers for hosting CCleaner updates were compromised to deliver malware for several months in 2017.