In this blog post I’ll discuss mobile malware ‘droppers’ and remote access trojans (RATS), and explain how cybercriminals use them to upgrade mobile malware with more powerful capabilities based on secretly monitoring the user’s activity and environment.
To illustrate how this happens in the real world, I’ll cover 2 specific malware variants – Triada and xHelper – the latter which was designated as a top malware variant of 2019 and 2020 by Checkpoint’s Global Threat Index and Malwarebytes Top 10 list of most-detected mobile malware (with over 50,000 confirmed exploits in the wild).
First I’ll provide a few definitions if you’re new to mobile malware.
What is a malware dropper?
A mobile malware dropper is a type of mobile Trojan that has been specifically designed to install (or ‘drop’) additional malware on a user’s mobile device. This usually occurs after an existing piece of malware that is already on the user’s device monitors the user’s activity and then phones home to a command and control (C2 or C&C) network to receive an update.
There are many different variants of malware droppers. The dropper malware code is sometimes embedded inside another app, which the user is then tricked into downloading from an app store (the host app is effectively used as a ‘vessel’ to get the dropper malware onto a mobile user’s device). The dropper malware is often embedded/hidden inside some sort of ‘utility’ apps, which an unsuspecting user thinks they are downloading to perform a specific function (such as update their device, improve battery life, scan QR codes, etc).
Once the dropper malware is on the mobile device, its specific job is to learn about the environment, elevate privileges, or establish a “backdoor” (which it will use to obtain updates). Some droppers scan the target system or silently monitor user activities while remaining hidden in the background. It then sends this information back to a command and control server, which promptly sends back a malware update that is specifically designed to exploit conditions that the malware dropper reported.
xHelper is a perfect example of a malware dropper that performed all of the above malicious actions in order to gain more powerful capabilities over time. Keep reading and I’ll explain how xHelper disguises and hides, tricks users to elevate privileges and grant it permissions, monitors user activity, and phones home for updated payloads. This how xHelper effectively transforms itself into something more powerful.
What is xHelper and What Does it Do?
xHelper malware dropper often disguises itself as a ‘disk cleaner’ or ‘speed utility’ application in order to make its way to a mobile user’s device.
And it is thought to have been downloaded mainly from app stores other than Google Play, although there is nothing that I can tell which precludes download from Google Play.
Initial variants of xHelper started appearing in 2019, and for almost a year, xHelper was deemed ‘undeletable’ and ‘undetectable’ by most malware/virus scanners. Security researchers were confounded by xHelper’s ability to persist and survive uninstalls, even after factory resetting the phone. More on that later.
How XHelper Tricks Users to Elevate Privileges and Abuse App Permissions
xHelper initially behaved as a ‘click-bot’. The first reported/confirmed exploits of xHelper were in the form of displaying/redirecting users to fake ads, adware and malvertisements – ostensibly for purposes of mobile ad fraud.
However, xHelper evolved over time, and it has continued to gain functionality along the way. This is typical of mobile malware in that it is programmed to exploit certain conditions it finds in the environment or trick the user into unknowingly performing a harmful action (such as tricking users to accept ‘permission requests’ that benefit the attacker/malware.
Once it was on the user’s device, XHelper tricked users into opening backdoors, elevating privileges or gaining root access for the attacker. Once the ‘backdoor’ is established, it creates a way for the attacker to deliver additional malware (sometimes via another dropper) or to update the existing version of xHelper with more capabilities than the previous variant. In other cases, XHelper tricked users to grant permissions that would allow it to forcibly download and install other apps on behalf of the user.
The latter is accomplished via a combination of tricking the user into turning on ‘allow unknown sources’ and requesting permissions from the user to install apps on the user’s behalf (this is an attack technique known as a ‘drive by download’). Even more insidious is the fact that once, the user gives permission once, the malware can install applications on the user’s behalf indefinitely, and because the user was most likely tricked into granting the permission in the first place, it may never occur to them to revoke it.
How xHelper Hides and Reinstalls Itself
Certain variants of xHelper were able to write to a hidden partition in the Android file system. The screenshot below (which I adapted based on a research report by Malwarebytes) shows an obfuscated/hidden directory created by the XHelper trojan dropper, which effectively contained a full-blown malicious .apk inside. In the screenshot, I’ve highlighted the Java classes directory (DEX files) and the android manifest below. You can also see other folders which have their names obfuscated. Essentially, this constituted a working malicious .apk according to Malwarebytes. This also explains part of the reason XHelper was so difficult to remove. The malware persisted or reappeared even after factory resetting the Android phone!
Kaspersky also published a research report on XHelper, which I have summarized below:
- xHelper encrypts its payload in the file /assets/firehelper.jar
- It runs in the background and monitors for certain activities on the device.
- xHelper scans the device for OS firmware version, manufacturer, and model, and sends that info to a C&C (command and control) center to fetch the appropriate ‘trojan dropper’ which is designed to exploit vulnerabilities or abuse system-specific settings or configurations. The Triada Trojan is one of the ‘dropper’ families that XHelper calls. In this context, Triada is responsible for using a set of exploits to obtain device root privileges.
- Once root access has been secured, xHelper can then install malware or malicious files directly into the system partition and also escalate privileges once again (by changing the mounting process to write-mode – from read-only.
- XHelper then executes a series of scripts that patch the binaries and installs new executables. It also copies itself into the launcher when the phone boots up.
- xHelper also modifies a native C library commonly used in Android apps (libc.so). This effectively prevents an infected user from re-mounting a system partition during a factory reset of the device. This allowed xHelper to persist and ‘re-appear’ after a factory reset.
- And to add icing on the cake, it prevents the user from entering superuser mode (ie: root access)
Recommendations for Developers
So how do you go about protecting against mobile malware droppers/trojans like xHelper? Here is a set of security and fraud prevention features to consider.
- For starters, protect source code using code obfuscation and app shielding. This will prevent xHelper or the malware writers from reverse engineering Android apps to exploit app-specific conditions, features or vulnerabilities.
- Prevent App Click-Bots – to prevent xHelper from being used in click-fraud on a user’s device.
- Root Prevention – to prevent escalation of privileges by the malware or the attacker
- Block Magisk Manager – to prevent the user of Magisk Manager to assign root privileges to other malware apps (such as Triada)
- Detect Unknown Sources – to prevent xHelper from downloading and installing malicious programs, payloads, trojan droppers
- Runtime Bundle Validation – to prevent xHelper from changing system-level files or adding malicious hidden directories
- Overlay Attack Prevention – to prevent xHelper from using Screen Overlays to trick users into performing harmful actions (to the extent xHelper manifests as an overlay)