Security Week 16: xHelper - Android Survival Trojan

A week ago, April 7, Kaspersky Lab experts published A detailed study of the Android xHelper Trojan. It was first discovered in the middle of last year, most of the attacks using malware account for the phones of Russian users. Its most remarkable property is the ability to survive even resetting the phone to factory settings.

The Trojan is often disguised as an application for cleaning and speeding up a smartphone. After installing it, it may seem to the user that an error has occurred – the trojan does not appear in the program menu, and you can only find it in the list of installed applications in the settings menu. The program accesses the command server, sends information about the device and downloads the next malicious module. The script is repeated several times, it turns out a kind of nesting doll, in which the key element is the AndroidOS.Triada.dd malware, which contains a set of exploits for obtaining superuser rights.

Most likely, the program will be able to get root access on Chinese smartphones running Android 6 and 7. After successfully hacking the device, the trojan will remount the system partition (initially only available in read mode) and introduce another set of malicious programs there. Adding a command to run executable files into the script for the first launch of the OS allows the trojan to recover even after resetting the settings. Other options are changed so as to subsequently make it difficult to connect the system partition to remove malware. Including modified system library libc.so.

The abilities of xHelper in the study are not described in detail, since they are practically unlimited. There is a backdoor in the infected mobile device, and the operator can perform any action with superuser rights. Attackers have access to the data of all applications and can download other malicious modules – for example, to hijack network service accounts. Smartphone treatment is a complex process. In theory, you can load the device into Recovery Mode, you can try to return the original version of the libc.so library to its place, which will remove malicious modules from the system partition. In practice, it’s easier to reflash the smartphone, although researchers have noted that some firmware distributed on the network already contains xHelper.

What else happened

Information security in an epidemic. Google and Apple will jointly develop a service that will determine if you have crossed paths with a carrier of coronavirus (news, a detailed article on Habré). The service involves an anonymous exchange of information between smartphones via Bluetooth, which, of course, raises doubts about the privacy of such an exchange and the possibility of re-profiling the technology, say, for advertising purposes. On the other hand, this is a variant of technological assistance in solving a medical problem.

First look at Apple / Google contact tracing framework:
1) Once a day, your device derives a new key (“daily tracing key”).
2) It uses that to derive a new “proximity ID” every time your device’s bluetooth address changes (15min), which is broadcast to nearby BT sensors.
1/10
– Moxie Marlinspike (@moxie) April 10, 2020

Web conferencing service Zoom hired Former Facebook Security Director Alex Stamios. The service, meanwhile, is banned in American schools and on Google. Its developers are still working on security, including small but important interface tweaks – the conference number is no longer displayed in the title bar of the Zoom window, which makes the scenario “someone posted a screenshot and random people started connecting to the meeting” less likely. In his blog post Stamos called Interesting is the rapid transformation of Zoom from a little-known corporate service into five minutes to a critical infrastructure element.

WhatsApp developers to fight fakes about coronavirus (and other “quotes from the Internet”) now allow forward the message only once if it came to you not from regular contacts.

VMware Directory Service (vmdir) detected in (news, newsletter companies) critical vulnerability. The service is used for centralized management of virtual machines. An error in the authorization system can lead to the seizure of control over the entire virtual server infrastructure of the company.

Sophos Company looked for “Unreasonably expensive” applications on the App Store. Such programs, usually with basic functions such as a ruler, calculator, flashlight, and the like, are known as fleeceware. The analysis provides two dozen examples of programs, some of which manage to get into the lists of the most profitable in regional stores. A characteristic feature of fleeceware is the offer of a free trial period at the first launch. As a result, the user pays for “horoscopes” or “creating avatars” up to one hundred pounds a year, sometimes without even knowing about it.