Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Android Security

An Old Android Virus is Reinstalling Itself Even After Factory Resets (inputmag.com) 58

A particularly persistent malware infection has been spreading amongst Android phones -- and removing it only seems to bring it back with a vengeance. From a report: The Trojan xHelper, which Malwarebytes first wrote about last year, is reportedly re-spawning on devices where it's already been removed. If virus-removal software doesn't take care of a nasty infection, a hard reset will usually do the trick. But users report that even a full factory reset of an infected device doesn't wipe xHelper out completely. Within an hour the malware is usually back and ready to wreak havoc. Here's how to remove it.
This discussion has been archived. No new comments can be posted.

An Old Android Virus is Reinstalling Itself Even After Factory Resets

Comments Filter:
  • What you need is a complete reload - and all phone manufacturers should provide full software load images to allow you to really clear your phone.

  • Malware from May 2019 is now considered "OLD". Wow.

    • Malware from May 2019 is now considered "OLD". Wow.

      When anti-virus and malware updates are checked hourly and delivered daily, why would it not? This is an obscenely dynamic environment.

      Hell, we often see firmware alerts more often than that.

    • Yup. We know how to build two types of "secure" systems, ones that are never ever connected to any kind of network, and ones that need to be patched daily in order to deal with all the vulns. Anything else is a goner.
  • by ITRambo ( 1467509 ) on Thursday February 13, 2020 @01:38PM (#59724772)
    Is Google actively working on the issue, to block all but specific files from lingering after a reset? This is important, as I like Android but will switch to an iPhone if Google can't do a much better job. Come on Google. Do your best, not 98% of the best.
    • Is Google actively working on the issue, to block all but specific files from lingering after a reset? This is important, as I like Android but will switch to an iPhone if Google can't do a much better job. Come on Google. Do your best, not 98% of the best.

      That's assuming Google takes responsibility.

      Google is the OEM provider of the OS. That doesn't mean they're the ones ultimately responsible (which is a large part of this problem with Android OS). The phone manufacturer all the way up to the service provider may also have responsibility here as well. Change the OEM version in any way, and you've allowed the OEM to essentially weasel out of being responsible, while also giving them a finger to point at others.

      This is also why some prefer Apple. One throa

      • But this exploit is using a flaw in the OS provided by the OEM to by pass a factory reset. The OS somehow provides a mechanism for flagging files stored on one device as actually belonging to another device. So files stored on the phone somehow get flagged as being stored on a non-existent SD card. So when the phone goes into factory reset, it resets the data on the phone. Since the files in question are to the OS stored on an SD card, those files are left alone. There's a flaw in some layer of the OS

        • But this exploit is using a flaw in the OS provided by the OEM to by pass a factory reset. The OS somehow provides a mechanism for flagging files stored on one device as actually belonging to another device. So files stored on the phone somehow get flagged as being stored on a non-existent SD card. So when the phone goes into factory reset, it resets the data on the phone. Since the files in question are to the OS stored on an SD card, those files are left alone. There's a flaw in some layer of the OS that the OEM is providing that's allowing this to happen. Clearly the OS maker has the responsibility to patch this.

          While your analysis may be accurate (to which I would agree with you), good luck finding responsibility in a sea of Android finger-pointing.

          (Example bullshit OEM response): "Well, why didn't you have an SD slot?"

          • > While your analysis may be accurate (to which I would agree with you), good luck finding responsibility in a sea of Android finger-pointing

            It sounds like it's doing the kind of wipe that preserves /data/sdcard, for people to keep their data. Something must be interacting with that data to get it to reinfect.

            e.g. a media buffer overflow exploit can exploit the Google media Indexer. If it's not vulnerable at Google's current patchlevel then it's the OEM's fault. It it is vulnerable at the current patch

    • You want an OS update from an Android phone? Good luck with that. Apple does 5 years of updates for iPhone.

      • I read that a lot, but is that really true for devices after you buy them? More to the point, I got my OnePlus 3T in December 2016, running Android 6. This phone went out of sale by May 2017. It received the final manufacturer's update last December, 3 years after my purchase, but more importantly, 2.5 years after the last sale.

        Now, recently, Apple stopped updating the iPhone 6, but I'm quite sure that it was for sale less than 2 years ago.

        Add to that that my OnePlus 3T is supported by Lineage OS (my re

      • My now 4 year old Samsung phone is on the latest security patch level. Apple may provide full OS updates for 5 years and Android may not, but that has nothing to do with security as just like on a PC the security updates are completely independent of the OS version of Android.

      • It doesn't appear to be OS related but rather Play Store related. Google provides security updates for all phones for any part of the system it can keep up to date over the play store, which these days are a large part of the network facing features.

        I'll bet you a Marsbar that fixing this doesn't even need a user to apply a security update (which many vendors offer for 5 years as well and has nothing to do with OS version).

    • > I like Android but will switch to an iPhone if Google can't do a much better job

      Most of the world's Android customers can't afford to make this threat. But since you are you should ask why Apple has a trillion dollars and won't effectively counter Cellebrite before making any decisions.

    • Is Google actively working on the issue?

      Probably. Fixing bugs takes time and isn't usually very exciting, it's unlikely that any of the bugfixing process would get any media coverage. It might get another story once they actually fix the bug, but that may be a while.

    • Google has a poor track record of managing their play store - with safety in mind. _Self searches will reveal how bad this is. They regularly purge their store, which is their band-aid to a gangrenous leg. I just hope they can come up with a better solution for us products, I -er- mean users...
    • Is Google actively working on the issue, to block all but specific files from lingering after a reset?

      Nothing lingers after reset. Android has a read only partition and a writable partition. A factory reset completely nukes the writable one. Read the linked article. The malware was NOT present after a reset but reinstalled itself through Google Play via some vector, most likely the malware alters something in the user's Google account that triggers a reinstall.

  • This would only happen, of course, if the "Factory Reset" did not actually "reset" the device to a factory state. Either the "Factory Reset" does not function properly (a Google/Android bug by not removing *all* files not part of the factory image) *or* the user only chose to do a partial "Factory Reset".

    The article is unclear as to whether the luser failed to do a full "Factory Reset" or if the "Factory Reset" is itself defective.

    • I just tried doing a "Factory Reset" on my old Samsung Galaxy S3 and sure enough, the "Factory Reset" reformatted the filesystem and restored the device to a "Factory" state. Nothing survived. No files on internal storage were preserved. Nada. Zilch. ZIppo.

      So it would appear that the luser in the article did not actually perform a Factory Reset. They did something else which they thought was a Factory Reset but was not, actually, a Factory Reset.

      • One data point is all you need. Case Closed!
        • It's not a datapoint, it's the fundamental way Android works. The factory image resides on a read only partition on the device. Any user changes reside on another partition and that partition gets formatted during a factory reset. Back 100% to factory conditions including wiping the malware. Read the link in the summary it even mentions that the malware is not initially present after a factory reset, and that it is triggered through Google Play indicating that it is related to the user account, and I'll bet

      • by suutar ( 1860506 )

        They weren't using a Samsung; their vendor's "Factory Reset" may be less complete than yours. While this would still mean the user did something they thought was FR but not actually FR it is not necessarily the fault of the user.

        • their vendor's "Factory Reset" may be less complete than yours.

          Factory resetting *any* Android device involves nothing more than formatting all user writable partitions. Samsung is not unique in this regard, and read the link the malware does not persist across factory resets, but rather it reinstalls itself which is something to do with Google Play and the user account.

      • by AK Marc ( 707885 )
        Most "factory reset"s don't reset to factory. They reset to a snapshot. This is "good" because it stores security updates and the like, so you don't have to re-download all updates after a reset. But also, it's bad. It can capture malware inside the "factory reset".

        The "fix" is to have a "soft wipe" and a "hard wipe" to allow a quicker full reset, and a fuller factory reset.

        This isn't just a "google" issue, but a handset problem.
        • Most "factory reset"s don't reset to factory. They reset to a snapshot. This is "good" because it stores security updates and the like, so you don't have to re-download all updates after a reset. But also, it's bad. It can capture malware inside the "factory reset".

          The "fix" is to have a "soft wipe" and a "hard wipe" to allow a quicker full reset, and a fuller factory reset.

          This isn't just a "google" issue, but a handset problem.

          False. Factory reset resets to the *current* factory image of the phone. That is if you take a 2 year old phone, apply all updates and do a factory reset, you will have the same factory device as the one you pickup from the store today (assuming that hasn't been sitting on the shelf for 2 years).

          The only way to modify your "snapshot" (which isn't a snapshot at all but rather the current factory image) is via the bootloader writing to a read only partition. This is also why you can't apply security updates h

          • by AK Marc ( 707885 )

            Malware has no vector to apply the update, unless of course it is cryptographically signed by the vendor and thus could actually be installed by the bootloader.

            Yup. All the malware needs to do is MITM them update. You make it sound impossible. It's been done before, and is essentially one of the ways to "jailbreak" a phone. A privilefe elevation to add in a malicious root server, then have the fraudulent code signed by that.

            There are many more ways to do it, but I don't have time to list them all, and wouldn't want to give anyone bad ideas.

    • Considering that the way it's done in the factory is by flashing an image, no factory reset function is going to be that. It's an attempt to imitate that with safeguards. No question it's being done, but a factory reset can't actually happen the way it happens at the factory unless you have a dedicated ROM sitting there waiting to re-flash the phone.

      • Considering that the way it's done in the factory is by flashing an image, no factory reset function is going to be that

        Nope. Factory resets flash an image into one partition that is completely unchanged in any process other than flashing another image (via a bootloader based update). User changes are written to a completely empty writable partition. If you nuke that partition like the factory does then your device is indistinguishable from another device currently sitting on the store shelf in every way except for hardware IMEI, hardware security keys, and the scratches you made on the case.

        • Clearly a software flash is not even involved in a "factory reset" - it wouldn't be needed if that partition truly hadn't changed.

          If this malware had root access, it could certainly add folders to that read only partition outside of an update. Unless you install an update after resetting, the OS won't get rewritten.

          I don't think it's quite known how it worked yet, but it does involve persistent files bring processed by the Play Store app.

    • by v1 ( 525388 )

      You're right, it's NOT a "factory reset". It's a "delete all users, apps, and reset all settings". If you have an iPhone, you have two reset options - a "delete all data and settings", and an actual "full reset". The former is like what android offers, but CAN miss things. The latter reboots off a recovery, FORMATS the main partition, and restores the FACTORY installation. That's how you do a "factory reset". Nothing that wasn't on the phone when you unboxed it is there after such a reset. ZERO chanc

      • by Zak3056 ( 69287 )

        ZERO chance of persistence by malware.

        Very low, but probably not quite zero. Given that a full reset requires itunes, in theory, a compromised iphone could compromise the PC it was plugged into via USB and muck with the image blown back into the phone (and, bonus points, you've got a foothold in the PC as well).

        It seems EXTREMELY unlikely that someone would craft malware like this (far more complicated having to be able to compromise multiple systems, much larger footprint, easier to detect) but it is not hard to envision scenarios where a sta

      • by AK Marc ( 707885 )
        I worked for HP in 1999, they managed to get an "infection" in their support center. So they were "factory resetting" PCs to an image that was infected, and shipping CDs that were infected. This could affect anyone. Apple doesn't "factory reset" their phone. The proof? Buy something on iOS 1.0. Update it to iOS 2.0. Reset it to factory. You'll be on 2.0. So if someone can sneak in malware into the image you reset to, then you can survive a "factory reset".
      • You're right, it's NOT a "factory reset". It's a "delete all users, apps, and reset all settings".

        False. All user apps and settings reside on a writable partition as distinct from the OS itself which resides on a read only partition that is only ever written by the bootload (i.e. during a reboot when applying an update). Factory reset deletes all user writable partitions at which point the phone is completely indistinguishable from any other phone running that version of the OS and that security patch level (and hardware static strings like IMEI).

    • This would only happen, of course, if the "Factory Reset" did not actually "reset" the device to a factory state.

      And you'd be wrong. Read the linked article. Factory Reset does reset the device completely including wiping the malware. Something related to the Playstore and the user account causes this malware to reinstall.

  • A factory reset won't get rid of any viruses that have rooted the phone and either have modified the system partition or have set up a virtual external SD card and put themselves there. Your only recourse is a reflash of the firmware.
  • Since the summary and TFA don't explain what's going on, but the removal instructions do:

    Hidden within a directory named com.mufc.umbtts was yet another Android application package (APK). The APK in question was a Trojan dropper we promptly named Android/Trojan.Dropper.xHelper.VRW. It is responsible for dropping one variant of xHelper, which subsequently drops more malware within seconds.

    Hereâ(TM)s the confusing part: Nowhere on the device does it appear that Trojan.Dropper.xHelper.VRW is installed.

    • Here's the stupid thing. There is no official app preinstalled called "Google Play". The author is confusing people intentionally. This reinfection vector has nothing to do with Google Play, but an app masquerading as it. On my device, I have: Google Pay Google Play Games / Movies/ Music / services / services for AR Google Play Store Google VR Services Google Services Framework Absolutely nothing called Google PLAY, especially not capitalized like that. That particular app was probably installed by
  • The only plausible attack vector for this would be reinstalling the same compromised application.

    PEBKAM

  • A particularly persistent malware infection has been spreading amongst Android phones

    How?

    Malwarebytes has found that somehow the Trojan xHelper is being deployed from the Play Store itself

    A total non story then.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...