back to article Please, just stop downloading apps from unofficial stores: Android users hit with 'unkillable malware'

An Android malware package likened to a Russian matryoshka nesting doll has security researchers raising the alarm, since it appears it's almost impossible to get rid of. Known as xHelper, the malware has been spreading mainly in Russia, Europe, and Southwest Asia on Android 6 and 7 devices (which while old and out of date, …

  1. Pascal Monett Silver badge

    Credit where credit is due

    They may be scum, but you have to give them credit for knowing exactly how to completely pwn the phone system internals.

    That is an amount of analysis and reverse engineering that is impressive.

    So, congratulations. Now where's that noose ?

  2. TeeCee Gold badge

    Armed with its powerful root privileges....

    I guess Android's security model still needs work if something can waltz in from outside and assume root privilege. I am of the opinion that the "no user has admin authority" model has an inherent flaw to it. The mechanisms of privilege escalation and control do not get exercised enough to iron the bugs out.

    1. diodesign (Written by Reg staff) Silver badge

      "and assume root privilege"

      No, it has to exploit security holes in Android 6 and 7, which are old and out of date, to achieve root.


      1. Paul Shirley

        Re: "and assume root privilege"

        ...and user rooted devices will block unknown apps by default.

        1. bombastic bob Silver badge

          Re: "and assume root privilege"

          "and user rooted devices will block unknown apps by default"

          you sure it's not the opposite (or were you being snarky)?

          A normal "non-rooted" device blocks un-blessed applications by default, requiring you to jump through a hoop or two to install the potentially "dirty" ones. Some older 'droid versions were actually LESS convenient for doing this, at least on the versions I've worked with [I've had to do it for development stuff a while back, put APK up someplace, have people install it, etc.]. Newer ones have different hoops when you download, but just an extra "yes I want to do this" step rather than changing the default setting to allow 'foreign' APKs or whatever. It's been a while since I did it last... [online instructions if I forget]

          But yeah any downloaded APK is a potential disaster for the person installing. The idea that a factory reset does NOT get rid of this particular malware is disturbing. Not sure how to EASILY do a complete re-flash though. It sounds like it would require more than an average tech... [maybe time to research doing that - I never went so far as to figure out how to do a complete re-flash on a 'droid device]

          maybe future 'droid devices will need to ship with actual ROM (and not a potentially writable image) for a PROPER factory reset.

          /me considers investigating how a debug USB cable might make this a little easier to deal with...

          (I obviously STILL have a lot to learn about these things)

          and yet - the absolute LAST thing we should want to see is an Apple-like (paywall and/or censor-wall) *STRANGLEHOLD* on what you can or cannot install... _ESPECIALLY_ for independent developers!

          1. Paul Shirley

            Re: "and assume root privilege"

            Trusted rooting implementations require apps to be whitelisted or one time authorised before they can successfully call su.

            Malware on a user rooted device will need to trick the user into authorising it or find an exploit to replace the existing su. Rooting a device is pretty safe unless you're easily tricked.

      2. John Brown (no body) Silver badge

        Re: "and assume root privilege"

        "which are old and out of date"

        ...and clearly there are many, many devices out in the wild still, because they can't (easily) be updated and security patching stopped YEARS ago. You can't fix security by mandating that users buy new phones every year or two. The security holes may be old, but clearly they are not "out of date".

        1. Stork Silver badge

          Re: "and assume root privilege"

          We have an Asus tablet running Android 7, but then it is only used for browsing (incl. this esteemed organ) and reading e-books. Does not get anywhere near the bank (and neither does the up to date phone).

          But for that purpose it is just fine, and the risk something one can live with.

          1. Lord Elpuss Silver badge

            Re: "and assume root privilege"

            On a VLAN I hope? There's no way I'd allow an Android 6/7 device to coexist on my normal network - it's a potential risk vector I just don't need.

      3. Brewster's Angle Grinder Silver badge

        Landfill Android

        "...which are old and out of date..."

        And I'm sure my upgrade will be along RSN. Any day now. I'm just waiting for that notification and then I'll straight away upgrade. Coz, other than that, this phone works fine.

      4. dajames

        Re: "and assume root privilege"

        No, it has to exploit security holes in Android 6 and 7, which are old and out of date, to achieve root.

        That may be the case, but I have several devices that cannot be upgraded to Android 6 or 7, let alone anything newer. Until Google mandate that all manufacturers must provide timely security fixes for older versions Android for the lifetime of the devices it's not really a defence.

        The lack of software updates should never be a reason for good, working, hardware to end up in landfill.

        1. Mike Tubby

          Re: "and assume root privilege"

          Please define "... lifetime of the device..." is this 6 months, 18 months, 5 years, 7 years?

          Part of the problem here is 'churn', i.e. the rate at which the Chocolate Factory obsoletes operating systems and their ecosystems...


          1. Anonymous Coward
            Anonymous Coward

            Re: "and assume root privilege"

            20 years. Minimum.

            No, I'm not even joking. In fact, there are lots of devices older than that in use in production environments.

            OOOOHH SHINY!!!! may be good enough for consumer device replacement schedules, but some of us deal with devices that cost a fucklot of money and need to work for decades.

            Even for consumer stuff a 10 year minimum supported lifespan is too short. How many decade old computers are still out there, and still perfectly adequate for the job they're doing? Even with phones, 10 years ago was the iPhone 4, which would be perfectly adequate today for a lot of peoples' needs if an OS update was available. Sure, YOU run lots of apps and surf the web on your phone like a teenager, but plenty of people read an occasional text, maybe check email, and primarily talk on the phone with it, because, you know, it's a telephone.

  3. Paul Shirley

    nice to see a breakdown of how it persists

    Earlier reports seem to have not known how factory reset works and how little it actually does. If you're not into flashing 3rd party OS images I guess you just wouldn't think about recovery mode and reflashing - nuking the partitions from orbit.

    1. bombastic bob Silver badge

      Re: nice to see a breakdown of how it persists

      yes - it doesn't sound trivial at all. Maybe I should get another el-cheapo slab and try upgrading the old one, to improve my 'droid skills.

    2. stiine Silver badge

      Re: nice to see a breakdown of how it persists

      You're presuming it can't play in the SIM card and that the CPU doesn't have a microcontroller that it can infect, a la Intel.

    3. Hwalker1

      Re: nice to see a breakdown of how it persists

      Would be nice if someone explained the meaning of "flashing" in this context. I've been programming since 1978 and never come across that process.

      1. Paul Shirley

        Re: nice to see a breakdown of how it persists

        Flashing simply means overwriting the systems flash memory. Overwrite the partitions the OS runs from, zero the data partitions and nothing survives of any infection (unless it can run from external storage - which nowadays would require a hacked firmware).

        Stock recovery mode is how you flash signed stock firmware images, often to recover a bricked or corrupt phone, or force an OS upgrade. For tinkering we flash the stock recovery partition with something more hacker friendly.

      2. Irongut

        Re: nice to see a breakdown of how it persists

        In old timer speak... burning new code into the EEPROM.

        Although as someone who has been programming since 1980 myself I'd have thought you'd have heard of "flashing the BIOS" at least and could extrapolate from there.

  4. AnAnonymousCanuck

    > Even better advice is to avoid downloading any suspicious apps from the Google Play Store

    Guess that means no apps at all. lol


  5. Anonymous Coward
    Anonymous Coward

    Many users have no control over what apps get installed

    Millions of Android phones distributed by Access Wireless and Assurance Wireless as part of the government assistance "LifeLine" program install apps from unofficial app stores and cloud servers without users knowledge or intervention.

    Millions of minature 'Nix devices with WiFi cards, GPS, Bluetooth and NFC running as root accepting remote commands from an adversarial country.

    What can possibly go wrong?

  6. Dan 55 Silver badge

    "don't use unauthorized third-party stores at all."

    The usual plug for F-droid which is arguably safer than the Play Store goes here.

    1. Irongut

      Re: "don't use unauthorized third-party stores at all."

      Yeah, considering the number of infections I regularly read about that were installed from Google Play I do think that "no third party stores" advice at least sounds hollow if not actually counter productive.

    2. Dr.Flay

      Re: "don't use unauthorized third-party stores at all."

      Actually it isn't even an argument anymore. They have confirmed that so far they have never had to remove malware due to their stricter policy than google.

      See the recent interview

      Confirmed. F-Droid is the safest app store.

  7. Anonymous Coward
    Anonymous Coward

    definitely don't use unauthorized third-party stores at all

    well, I do, an will "definitely" use "unauthorised 3rd party stores". But then, I don't download any crapp.apk just because it's another "FIVE STAR RATED!!!!" junk that claims to do "everything for nothing", on 3rd party, 2nd party, or any party. And definitely NOT google-party.

  8. jelabarre59

    because you don't own what you own

    It would seem to me the major issue of not being to clear out such malware is that you the OWNER of the device are not allowed your rightful root-level access. Certainly, you shouldn't be running as root in your daily usage, but Android decides to tell you that you might be the owner, bit you don't actually *OWN* your own devices.

    Properly designed, you should be able to boot your device from a clean and write-protected medium (most likely a microSD, or perhaps something on an OTG adapter) and do a full wipe of the storage, and then re-load a clean install. Perhaps the system/OS storage should be on a removable chip inside the phone, where in the worst-case you could pull it out and read/reflash it from your computer (probably not microSD, I think it would probably need a specialized spec, but that's not my field of expertise).

    Given Google's own preferences, I'd expect Google would prefer Android be run as an extreme exaggeration of ChromeOS, where the *only* thing on your phone is a bootloader, and anything else has to be run off the internet from their servers.

    How is it that the shit-show that was MSWindows Mobile looks to have been *more* open than the supposedly FLOSS-based Android?

    1. AJ MacLeod

      Re: because you don't own what you own

      That's not how ChromeOS works...

  9. RobinCM

    Google Play Store not available

    On a brand new device running Android 9 I can only use 3rd party stores because Google prevents the manufacturer from installing Google Mobile Services, which stops Play Store plus sign-in to most of their apps (Chrome, YouTube, etc.).

    The device is a projector (Phillips Picopix Max).

    Must be a pretty compelling reason for Google to block that, because think of all the app and media sales (plus harvested data) revenue they're missing out on. From a consumer point of view it's annoying and makes no sense.

    From a security point of view it's annoying and makes no sense.

    1. Irongut

      Re: Google Play Store not available

      Google did not prevent them, Phillips decided you would not want Google Play so did not pay to install GMS. So from a consumer point of view it makes no sense to buy (this projector) from Phillips, assuming you want apps on a projector for some reason.

      1. RobinCM

        Re: Google Play Store not available

        That's not what Phillips are saying.

  10. Blackjack Silver badge

    You know...

    While it might not as terrible as this one, Google Play does have a lot of malware.

  11. UncleZoot

    And to think all this time Apple caught so much flack for locking down the distribution of software used on IOS devises.

    I understand wanting to be in control of a piece of kit you purchased, but too many people just clicj the accept and install button to be a menace to themselves and others.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like