xHelper is a very dangerous malware attacking Android devices, which became famous for being able to survive restoring the system to factory settings. Analysts did not know for a long time how it works.
xHelper malware has appeared at the end of 2019. In October, the malware has infected 45 thousand devices and did not end at that time. This unique threat is able to survive restoring the smartphone to factory settings. The mechanism of its operation remained secret for several months.
Here is the secret of the malware that you cannot remove from Android
Gizchina News of the week
Kaspersky Lab specialists have found and analyzed the threat. The most interesting thing about it is that it was able to install itself on the system partition.
In normal Android operating mode, this part of the memory is mounted read-only. It is therefore not possible to delete xHelper files during traditional smartphone use. Its components are camouflaged between system files necessary for Android operation.
The attributes assigned to xHelper files do not allow removal even by a user with root privileges. By the way, xHelper removes all root-related applications (for example, Superuser). As if that was not enough, the malware modifies Android libraries to prevent the mounting of the system partition for writing in any conditions.
In fact, the only way to get rid of this malware is to flash your smartphone from a restore version. In the recovery mode, you need to upload a completely new system image. And here we come to another attraction – many Android images for cheaper smartphones from China already had an “add-on” that downloaded xHelper.
Recall that the malware primarily affects Android versions 6 and 7, so users with newer versions are safe. Estimates for the number of affected phones infected by xHelper previously ranged from around 33,000 to 45,000, but again, only devices running older, less secure versions of Android should be susceptible to the malware.
Is there no means of creating an equally agressive anti virus that seeks out this particular malware?
The question is how did it manage to write into the Read-Only memory?
It wasn’t read only before the malware mounted itself there, then it changed the partition to read only therefore making it impossible for any antivirus to remove it because it was then read only.
I told you android 6 has some buges and lages ( but i don’t know about android 7 )
The /system partition is mounted as read only by default. It’s very strange it’s able to write files into it, there must be some sort of exploit it’s using.