The Trojan is often disguised as an application for cleaning and speeding up a smartphone. After installing it, it may seem to the user that an error has occurred – the trojan does not appear in the program menu, and you can only find it in the list of installed applications in the settings menu. The program accesses the command server, sends information about the device and downloads the next malicious module. The script is repeated several times, it turns out a kind of nesting doll, in which the key element is the AndroidOS.Triada.dd malware, which contains a set of exploits for obtaining superuser rights.
Most likely, the program will be able to get root access on Chinese smartphones running Android 6 and 7. After successfully hacking the device, the trojan will remount the system partition (initially only available in read mode) and introduce another set of malicious programs there. Adding a command to run executable files into the script for the first launch of the OS allows the trojan to recover even after resetting the settings. Other options are changed so as to subsequently make it difficult to connect the system partition to remove malware. Including modified system library libc.so.
The abilities of xHelper in the study are not described in detail, since they are practically unlimited. There is a backdoor in the infected mobile device, and the operator can perform any action with superuser rights. Attackers have access to the data of all applications and can download other malicious modules – for example, to hijack network service accounts. Smartphone treatment is a complex process. In theory, you can load the device into Recovery Mode, you can try to return the original version of the libc.so library to its place, which will remove malicious modules from the system partition. In practice, it’s easier to reflash the smartphone, although researchers have noted that some firmware distributed on the network already contains xHelper.
What else happened
Information security in an epidemic. Google and Apple will jointly develop a service that will determine if you have crossed paths with a carrier of coronavirus (news, a detailed article on Habré). The service involves an anonymous exchange of information between smartphones via Bluetooth, which, of course, raises doubts about the privacy of such an exchange and the possibility of re-profiling the technology, say, for advertising purposes. On the other hand, this is a variant of technological assistance in solving a medical problem.