Android Trojan Infects Tens Of Thousands Of Devices In 4 Months

A new Trojan dropper dubbed xHelper was observed while slowly but steadily spreading to more and more Android devices since May, with over 32,000 smartphones and tablets having been found infected in the last four months. Trojan droppers are tools used by threat actors to deliver other more dangerous malware strains to already compromised devices, including but not limited to clicker Trojans, banking Trojans, and ransomware.

xHelper, dubbed Android/Trojan.Dropper.xHelper by Malwarebytes Labs’ researchers who discovered it, was initially tagged as a generic Trojan dropper only to be upgraded to the rank of a fully-fledged menace after climbing into the security vendor’s top 10 most detected mobile malware in just a few months.

Subscribe
Notify of
guest
1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Craig Young
Craig Young , Principal Security Researcher
InfoSec Expert
August 29, 2019 12:46 pm

Trojan droppers are commonly used in Android malware due to their effectiveness in sneaking malicious content past anti-virus or intrusion prevention systems. Malware authors do this by shipping obfuscated or encrypted code within opaque application resource files. This would typically be bundled into a functional app along with checks to recognize when it is “safe” for the trojan to come out of hiding.

Kaspersky has also reported today that an app with 100M downloads, CamScanner, has been compromised with a Trojan dropper as well:

Malicious Android app had more than 100 million downloads in Google Play

In this case, the app was very popular and had largely positive reviews for several years until users suddenly started reporting intrusive advertising and other undesirable behavior. Kaspersky researchers manually reviewed the application based on these reviews and found that a library had been added containing a dropper they had identified.

It is entirely unclear at this point what the source of the infection was, but apparently releases between June 17 and July 25 2019 were all compromised. It is possible that the developer’s source code was compromised by an outsider or that they had used a compromised toolkit reminiscent of the XCodeGhost malware on iOS. Another possibility is that the app’s authors were simply paid to include a new advertising library which they may or may not have known to be malicious.

This should be generally concerning for not just Android users, but frankly users of all platforms receiving automatic updates from 3rd party developers. Although it may be possible at one point in time to feel confident that an app or a company is legitimate, there is always the risk that the source code supply chain may become compromised thereby enabling exploitation of large existing install bases. Users of CCleaner for Windows will certainly agree that this is very dangerous territory. (Avast’s download servers for hosting CCleaner updates were compromised to deliver malware for several months in 2017.

Last edited 2 years ago by Craig Young
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x