Therefore, until the directories and files are removed, the device will keep getting infected.
#Malwarebytes apk android
It’s important to realize that unlike apps, directories and files remain on the Android mobile device even after a factory reset. Here’s the confusing part: Nowhere on the device does it appear that is installed. It is our belief that it installed, ran, and uninstalled again within seconds to evade detection-all by something triggered from Google PLAY.
#Malwarebytes apk apk
The APK in question was a Trojan dropper we promptly named Android/. It is responsible for dropping one variant of xHelper, which subsequently drops more malware within seconds. Hidden within a directory named was yet another Android application package (APK). In the hopes that our theory held true, we asked Amelia to look for suspicious files and/or directories on her mobile device using a searchable file explorer, namely, anything that started with com.mufc., the malicious package names of xHelper. And then…eureka! Furthermore, that something could also be using Google PLAY as a smokescreen, falsifying it as the source of malware installation when in reality, it was coming from someplace else. However, something within Google PLAY was triggering the re-infection-perhaps something that was sitting in storage. But Google PLAY itself!? After further analysis, we determined that, no, Google PLAY was not infected with malware. We have seen important pre-installed system apps infected with malware in the past. We then noticed something strange: The source of installation for the malware stated it was coming from Google PLAY. This was unusual because none of the malicious apps downloading on Amelia’s phone were on Google PLAY. Since we were running out of ideas, we disabled Google PLAY. As a result, the re-infections stopped! Photo provided by Amelia of xHelper running on mobile device Triggered: Google PLAY After all this, xHelper’s persistence would not end. Amelia was even able to grab various apps we didn’t have in our Mobile Intelligence System to rule everything out. Starting with the most obvious to the least, we systematically uninstalled suspicious system apps, including the mobile device’s system updater and an audio app with hits on VirusTotal, a potential indicator of maliciousness. With adb command line installed and the mobile device plugged into a PC, we used the workaround of uninstalling system apps for current user. This method renders system apps useless even though they still technically reside on the device. So Amelia tested this theory by going through the steps to run Android Debug Bridge (adb) commands to her mobile device. Since we had a clean mobile device and it was still getting re-infected, our first assumption was that pre-installed malware was the issue. This assumption was fueled by the fact that the mobile device was from a lesser-known manufacturer, which is often the case with pre-installed malware. We also ruled out any of the malware having device admin rights, which would have prevented our ability to uninstall malicious apps. In addition, we cleared all history and cache on Amelia’s browsers, in case of a browser-based threat, such as a drive-by download, causing the re-infection. Clean slateįirst off, Amelia was clever enough to do a factory reset before reaching out to us. Unfortunately, it didn’t resolve the issue, though it did give us a clean slate to work with. No other apps (besides those that came with the phones) were installed besides Malwarebytes for Android, thus, we could rule out an infection by prior installs (or so we thought). By showing the roadblocks we encountered, we demonstrate the thought process and complexity behind removing malware so that others may use it as a guide.
All the failsīefore we share the culprit behind this xHelper re-infection, I’d like to highlight the tactics we used to investigate the situation, including the many dead ends we hit prior to figuring out the end game. If it wasn’t for the expertise and persistence of forum patron Amelia, we couldn’t have figured this out. She has graciously has allowed us to share her journey.
0 kommentar(er)
