Android Trojan Infects Tens Of Thousands Of Devices In 4 Months

A new Trojan dropper dubbed xHelper was observed while slowly but steadily spreading to more and more Android devices since May, with over 32,000 smartphones and tablets having been found infected in the last four months. Trojan droppers are tools used by threat actors to deliver other more dangerous malware strains to already compromised devices, including but not limited to clicker Trojans, banking Trojans, and ransomware.

xHelper, dubbed Android/Trojan.Dropper.xHelper by Malwarebytes Labs’ researchers who discovered it, was initially tagged as a generic Trojan dropper only to be upgraded to the rank of a fully-fledged menace after climbing into the security vendor’s top 10 most detected mobile malware in just a few months.

Experts Comments

August 29, 2019
Craig Young
Principal Security Researcher
Tripwire
Trojan droppers are commonly used in Android malware due to their effectiveness in sneaking malicious content past anti-virus or intrusion prevention systems. Malware authors do this by shipping obfuscated or encrypted code within opaque application resource files. This would typically be bundled into a functional app along with checks to recognize when it is “safe” for the trojan to come out of hiding. Kaspersky has also reported today that an app with 100M downloads, CamScanner, has.....Read More
Trojan droppers are commonly used in Android malware due to their effectiveness in sneaking malicious content past anti-virus or intrusion prevention systems. Malware authors do this by shipping obfuscated or encrypted code within opaque application resource files. This would typically be bundled into a functional app along with checks to recognize when it is “safe” for the trojan to come out of hiding. Kaspersky has also reported today that an app with 100M downloads, CamScanner, has been compromised with a Trojan dropper as well: https://www.kaspersky.com/blog/camscanner-malicious-android-app/28156/ In this case, the app was very popular and had largely positive reviews for several years until users suddenly started reporting intrusive advertising and other undesirable behavior. Kaspersky researchers manually reviewed the application based on these reviews and found that a library had been added containing a dropper they had identified. It is entirely unclear at this point what the source of the infection was, but apparently releases between June 17 and July 25 2019 were all compromised. It is possible that the developer’s source code was compromised by an outsider or that they had used a compromised toolkit reminiscent of the XCodeGhost malware on iOS. Another possibility is that the app’s authors were simply paid to include a new advertising library which they may or may not have known to be malicious. This should be generally concerning for not just Android users, but frankly users of all platforms receiving automatic updates from 3rd party developers. Although it may be possible at one point in time to feel confident that an app or a company is legitimate, there is always the risk that the source code supply chain may become compromised thereby enabling exploitation of large existing install bases. Users of CCleaner for Windows will certainly agree that this is very dangerous territory. (Avast’s download servers for hosting CCleaner updates were compromised to deliver malware for several months in 2017.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.