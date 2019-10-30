WE KNOW THE FEELING of getting rid of something only for it to come back, and much like the common cold that's exactly what the Xhelper Android malware does.

Capable of reinstalling itself even after it has seemingly been purged from an infected Android device, xHelper has infected some 45,000 devices over the past six months, with the trojan malware seemingly targeting devices in Russia, India and the US, according to Symantec.

The malicious app hides from detection by not appearing in the Android system launcher. And it appears to infect devices through side-loaded Android apps from beyond the confines of Google's Play Store.

These apps contain the Xhelper code and Symantec reckons a malicious system app keeps persistently downloading and installing Xhelper even after it's been uninstalled and a device has been factory reset.

With no app icon and only visible in the app info of an Android phone, Xhelper is one sneaky bit of code. And despite the lack of an icon, it can launch itself based on certain triggers, such as when the phone is rebooted.

"Once Xhelper gains a foothold on the victim's device, it begins executing its core malicious functionality by decrypting to memory the malicious payload embedded in its package," said Symantec's smart security folks.

"The malicious payload then connects to the attacker's command and control (C&C) server and waits for commands. To prevent this communication from being intercepted, SSL certificate pinning is used for all communication between the victim's device and the C&C server."

Aside from blasting an infected device with pop-up adverts, Xhelper itself doesn't contain any destructive or data-nabbing malware. But like all good trojans, it might be equipped with a malicious payload, meaning it could be poised to cause havoc across thousands of Android devices.

"In the past month alone, there was an average of 131 devices infected each day, and an average of 2,400 devices persistently infected throughout the month," Symantec said.

This is particularly pertinent as Symantec's researchers said they believe Xhelper's source code is "still a work in progress" so could be modified for some particularly nasty attacks.

To avoid falling foul of Xhelper, we'd advise you don't go installing apps from outside the Play Store, and make sure you have your device up-to-date and running some mobile antivirus software.

And as an extra precaution, just be a little savvy about the sites you visit on your Android device; if they look a bit dodgy then there's a chance they probably are. µ