Wonder if it's written itself into recovery. Or the SIM card/baseband - SIM card in particular usually includes functionality for triggering a sideload of apps (eg for carrier apps), sending notifications, etc into the main SOC so it fits. Maybe the second instance of SIM card malware ever.
All they'd have to do in order to survive a factory reset is to write to the /system partition, which contains the main OS. A factory reset only wipes /data and a few caches.
Writing to /system requires it to be mounted read/write and permissions to do so, so they'd need a root exploit in order to pull it off, but there's quite a few to choose from especially as devices age and given that they're doing this outside Play Store where Google won't pick them up.
I'm just crossing my fingers advanced users don't lose the ability to side-load apps over bad publicity like this, maybe they should make it harder to enable though.
> The ads and notifications redirect users to the Play Store, where victims are asked to install other apps -- a means through which the xHelper gang is making money from pay-per-install commissions.
Software publishers which have been proven to be paying out commission money from "bait and install" app links, for things published in the Play Store, should have their entire app and developer profile removed with extreme prejudice.
That's a bold demand, considering that majority of free games in Play Store monetize themselves via partner installs. For all we know, developers of involved apps are paying a "legit" advertising company for installs, and malware authors act as ordinary partners of that company (likely using a bunch of throwaway accounts).
I sometimes install the app and leave it a one star and a comment with the cause: I was on a page and was forcibly redirected to a marketing page for an app. But major apps (atleast in India) won't get punished by a few one stars.
Play store should offer a screen to the users to allow them to report aggressive ads.
I'm really confused. How is it possible something like this survives a factory reset? To be fair, I have a very limited knowledge of hardware like this, but my assumption is a factory reset should remove EVERYTHING that didn't come on the phone put of the box.
Some other comments are questioning weather this is happeneing to 'budget' devices sold by sketchy manufacturers. Would that explain something like this.
I sure as hell hope thats not the case on a phone from reputable manufacturer. If I can't wipe everything, including malware from my android device by doing a factory reset, I'm going to throw it in the garbage tomorrow & buy an iPhone.
Android devices have multiple storage partitions. "Factory reset" generally refers to wiping the data partitions, but not the system partitions. It does not mean reflashing the phone's entire storage from an external image as you would expect.
I would imagine this malware modifies one of the partitions that is not customarily wiped. And I would expect that doing a proper full reflash from a computer (eg starting from `fastboot flash bootloader ...`) would remove it, assuming it wasn't already baked into that image at the manufacturer.
>but my assumption is a factory reset should remove EVERYTHING that didn't come on the phone put of the box
A simple proof that this isn't the case is the fact that factory resets do not revert your phone back to the same OS version as it came with out of the box and it does not download an OS image to install. The only device I know that does this is macbooks have a built in recovery which can be used to download a fresh OSX image and install that.
On an unrooted/unexploited phone a factory reset should remove every bit of data bad app has access to. On a rooted phone you can wipe everything by downloading the vendor image (Google supplies these but not all OEMs do) and then you can flash that over the entire phone which replaces everything on the storage.
>According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.
Sounds big, but likely paltry compared to active Android devices. That said, for other reasons that are more compelling, Apple is killing Google on "captive portal advantages". Google needs to dedicate more resources to both the PlayStore and the Chrome Extension store for many, many, reasons. They are not getting the inflection point of their "automation is fine" approach.
In other words, the conclusion is right, but this incident is NOT the selling point. Ad blockers and manifest V3 is a much better research study into their stupidity.
This doesn't really seem like a detection issue, but more of a design issue that Google needs to fix. Why is an app able to display ads across the system, even when you aren't running it? And how is it even possible for an app to make itself uninstallable?
I know IOS isn't perfect, however, when I read articles like this, I just have to smile. There's something to be said for a tightly controlled platform and ecosystem.
They get so much wrong, so often, you have to wonder if they really look at the apps at all or just have some checklist, screenshots and a quota to hit. They explicitly approved all the garbage practices that Apple Arcade's billing protects users from.
To be fair, if you stick to just using the Google Play Store, _this_ malware wouldn't hit you.
> According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.
Sure, except that once you get past the idea of trusting others for your security, and instead learning and securing stuff yourself, you quickly realize that "tightly controlled" is just a synonym for "you don't really own your device, we just let you use it how we see fit". As so recently demonstrated by Apples ability to remove the HKmap.live app.
In general really wonder why people still defend Apple these days. Even if you overlook a combination of stuff like infinite attempts for icloud logins that led to the Fappening, their role in HK protests, and of course their pretty terrible labor practices that go so far as even to supposedly break the Chinese labor laws (which is a feat in itself), there is still issues with stuff they produce. Their hardware and software quality has been on a hard decline, especially if you compare it to alternatives rather than on its own merit. They don't really innovate despite opposite marketing claims, and they still participate in this "technology as a jewelry" thing with their $1000 monitor stands.
It seems like they could get a better outcome by having levels of trust for unsanctioned apps. Like the default for side-loaded apps would be just as an app only. No background processing, notifications, loading services. To get the latter functionality you could make the user jump through a bunch of hoops with nasty warning messages or even just not allow it.
I don't know why you're being downvoted. You've got a point. There's no perfection in the App Store when it comes to review, but it's an ecosystem that is built around trying to create a sense of control and privacy. Sorry if you don't disagree but I reckon facts overwhelmingly disagree with you if you do.
That's not to say in any way ANDROID BAD or anything like that, it's just a broader attack vector that you're up against with Android unless you're a very careful experienced customer. Most people aren't. :/
[+] [-] paulmd|6 years ago|reply
https://www.youtube.com/watch?v=31D94QOo2gY
There are only so many places it can be hiding if it's surviving a factory reset.
--Guy who is undoubtedly vastly underestimating the problem given that it's resisted AV vendors for a while
[+] [-] morbm|6 years ago|reply
Based on the reddit thread at least one of the devices is from a no-name manufacturer.
https://www.reddit.com/r/antivirus/comments/bj6isa/xhelper_k...
[+] [-] buildzr|6 years ago|reply
Writing to /system requires it to be mounted read/write and permissions to do so, so they'd need a root exploit in order to pull it off, but there's quite a few to choose from especially as devices age and given that they're doing this outside Play Store where Google won't pick them up.
I'm just crossing my fingers advanced users don't lose the ability to side-load apps over bad publicity like this, maybe they should make it harder to enable though.
[+] [-] thenewnewguy|6 years ago|reply
[+] [-] tgsovlerkhgsel|6 years ago|reply
And recovery is already a stretch IMO.
[+] [-] imglorp|6 years ago|reply
[+] [-] walrus01|6 years ago|reply
Software publishers which have been proven to be paying out commission money from "bait and install" app links, for things published in the Play Store, should have their entire app and developer profile removed with extreme prejudice.
[+] [-] altfredd|6 years ago|reply
[+] [-] aitchnyu|6 years ago|reply
Play store should offer a screen to the users to allow them to report aggressive ads.
[+] [-] dontblink|6 years ago|reply
[+] [-] 40four|6 years ago|reply
Some other comments are questioning weather this is happeneing to 'budget' devices sold by sketchy manufacturers. Would that explain something like this.
I sure as hell hope thats not the case on a phone from reputable manufacturer. If I can't wipe everything, including malware from my android device by doing a factory reset, I'm going to throw it in the garbage tomorrow & buy an iPhone.
[+] [-] mindslight|6 years ago|reply
I would imagine this malware modifies one of the partitions that is not customarily wiped. And I would expect that doing a proper full reflash from a computer (eg starting from `fastboot flash bootloader ...`) would remove it, assuming it wasn't already baked into that image at the manufacturer.
[+] [-] baroffoos|6 years ago|reply
A simple proof that this isn't the case is the fact that factory resets do not revert your phone back to the same OS version as it came with out of the box and it does not download an OS image to install. The only device I know that does this is macbooks have a built in recovery which can be used to download a fresh OSX image and install that.
On an unrooted/unexploited phone a factory reset should remove every bit of data bad app has access to. On a rooted phone you can wipe everything by downloading the vendor image (Google supplies these but not all OEMs do) and then you can flash that over the entire phone which replaces everything on the storage.
[+] [-] jklinger410|6 years ago|reply
[+] [-] wnevets|6 years ago|reply
Ok, maybe don't do that?
[+] [-] Nairus|6 years ago|reply
[+] [-] tyingq|6 years ago|reply
In other words, the conclusion is right, but this incident is NOT the selling point. Ad blockers and manifest V3 is a much better research study into their stupidity.
[+] [-] 43920|6 years ago|reply
[+] [-] hans_castorp|6 years ago|reply
[+] [-] redm|6 years ago|reply
[+] [-] benologist|6 years ago|reply
https://mashable.com/2017/06/12/apple-app-store-subcription-...
https://9to5mac.com/2019/10/25/malware-iphone-apps/
https://www.techtimes.com/articles/235985/20181204/apple-rem...
https://www.wired.com/2015/09/apple-removes-300-infected-app...
They get so much wrong, so often, you have to wonder if they really look at the apps at all or just have some checklist, screenshots and a quota to hit. They explicitly approved all the garbage practices that Apple Arcade's billing protects users from.
[+] [-] bobviolier|6 years ago|reply
> According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.
[+] [-] ActorNightly|6 years ago|reply
In general really wonder why people still defend Apple these days. Even if you overlook a combination of stuff like infinite attempts for icloud logins that led to the Fappening, their role in HK protests, and of course their pretty terrible labor practices that go so far as even to supposedly break the Chinese labor laws (which is a feat in itself), there is still issues with stuff they produce. Their hardware and software quality has been on a hard decline, especially if you compare it to alternatives rather than on its own merit. They don't really innovate despite opposite marketing claims, and they still participate in this "technology as a jewelry" thing with their $1000 monitor stands.
[+] [-] dclusin|6 years ago|reply
[+] [-] GetOutOfBed|6 years ago|reply
[+] [-] sekasi|6 years ago|reply
That's not to say in any way ANDROID BAD or anything like that, it's just a broader attack vector that you're up against with Android unless you're a very careful experienced customer. Most people aren't. :/
[+] [-] Twirrim|6 years ago|reply
That's what, 0.0018% of devices infected?
[+] [-] arcticbull|6 years ago|reply