The Secret Behind 'Unkillable' Android Backdoor Called xHelper Has Been Revealed

An anonymous reader quotes a report from Ars Technica: In February, a researcher detailed a widely circulating Android backdoor that's so pernicious that it survives factory resets, a trait that makes the malware impossible to remove without taking unusual measures. The analysis found that the unusual persistence was the result of rogue folders containing a trojan installer, neither of which was removed by a reset. The trojan dropper would then reinstall the backdoor in the event of a reset. Despite those insights, the researcher still didn't know precisely how that happened. Now, a different researcher has filled in the missing pieces.

Last week, Kaspersky Lab researcher Igor Golovin published a post that filled in some of the gaps. The reinfections, he said, were the result of files that were downloaded and installed by a notorious trojan known as Triada, which ran once the xHelper app was installed. Triada roots the devices and then uses its powerful system rights to install a series of malicious files directly into the system partition. It does this by remounting the system partition in write mode. To make the files even more persistent, Triada gives them an immutable attribute, which prevents deleting, even by superusers. (Interestingly, the attribute can be deleted using the chattr command.) A file named install-recovery.sh makes calls to files added to the /system/xbin folder. That allows the malware to run each time the device is rebooted. The result is what Golovin described as an "unkillable" infection that has extraordinary control over a device.

Re:

[gtall]

Shut up, Trump.

Re:

[mrclevesque]

"In a statement, Gilead said the “totality of the data [needs] to be analyzed in order to draw any conclusions from the trial. Anecdotal reports, while encouraging, do not provide the statistical power necessary to determine the safety and efficacy profile of remdesivir as a treatment for COVID-19.”

"Partial data from an ongoing clinical trial is by definition incomplete and should never be used to draw conclusions about the safety or efficacy of a potential treatment that is under investigation,

You know, eMMC/EEPROM/etc aren't expensive

[weilawei]

Why can they not put a write-protected chunk of flash memory onboard, like, say, a BeagleBone? Then you boot normally from the other chunk of flash, onboard or on an SD card.

Yeah, yeah, cost..

Re:

[Revek]

You know odins is even cheaper.

Re:You know, eMMC/EEPROM/etc aren't expensive

[rtb61]

The problem in reality, hackers being readily able to access root partition and users being banned from it, so they can not fix it or install more secure software to secure it but the corporation that sold the phone retains total control, total power, their device never yours and they do not give a fuck who hacks you as long as they can continue to invade your privacy and control you via your device.

Re:

[gweihir]

They already have that. The factory reset uses it. This is just a really badly implemented "factory reset", probably to allow any bloatware to survive as well.

Re:

[skullandbones99]

The device you are looking for is called a ROM or OTP memory. Using these devices is inflexible and expensive hence FLASH gets used for the storage of "permanent" file systems.

Typically, SoCs (System on chips) have an initial boot loader in ROM that allows the chip to load and execute other initial bootloaders stored in FLASH or to download an initial bootloader into RAM and boot it. Security can be done by checking the signature of the bootloaders in FLASH by using an encryption routine and a key. However

Reflash from PC

[Anonymous Coward]

Most manufacturers used to provide a way to flash the entire memory from the computer with a pristine image.

Obviously, that meant people could actually reset their phones to factory completely, and that is BAD, and so Samsung removed this functionality from their (user) PC tools.

Leaving you with crappy builtin "factory reset" (which just does the equivalent of an rm -rf /data , not even mkfs ) and hoping your other partitions were not altered in any way during the very likely insecure OTA process.

Samsung still allows reflashing

[_merlin]

You can still reflash Samsung phones in Odin mode to completely restore the root partition, downgrade, etc. For phones without a physical Home button, you need to turn the phone off, hold Volume Down, Bixby and Power until it boots to the warning screen, then press Volume Up to confirm (Bixby replaces Home). You can then reflash the phone over USB from a PC.

chattr is "interesting"?

[sabri]

Interestingly, the attribute can be deleted using the chattr command.

Yeah, dumbass. If you remove the immutable attribute, you can use rm again... Super-interesting...

Re:

[Khyber]

The interesting part is that you can remove an immutable attribute once it has been applied. That defeats the purpose of being immutable in the first place.

Re:chattr is "interesting"?

[Solandri]

No, the immutable attribute is just an extra layer of protection so you don't accidentally delete the file. It's like a cotter pin, or the plastic flip cover on fire alarms. They prevent you from accidentally removing the retaining bolt or pulling the alarm switch. But once you pull the pin or flip open the cover (presumably deliberately), you can remove the bolt or pull the alarm switch.

Re:

[_merlin]

On BSD you usually have to switch to a lower run level to remove the immutable attribute. It generally requires physical access because networking will be disabled at the lower run level. It's clearly not bullet-proof, but it's still useful for protecting things that shouldn't be changed under normal circumstances. The attribute is less useful on Linux where it can be changed at normal run level.

Re:

[hey!]

"Those who do not understand Unix are condemned to reinvent it. Poorly." -- Henry Spencer

Re:

[brunes69]

It's about as interesting as the idea that someone with root access can, SURPRISE, write data to the root partition.

News at 11.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Then you should use LineageOS

[BAReFO0t]

Call me when it is available for anything but the older models of the most mainstream lines/brands. Because I'm not wasting money on the crap the average retard falls for.

Not really a factory reset

[ellbee]

So a factory reset doesn't get it back to the state it was in from the factory. "I do not think it means what you think it means.” -Inigo Montoya

Re:

[drinkypoo]

That's always been true. The nerds already knew that if you really want to restore your phone to true factory condition you had to reflash it. You can often download the factory system image from the vendor, and you can also commonly get them from XDA.

Re:

[Bu11etmagnet]

'When I use a word,' Humpty Dumpty said in rather a scornful tone, 'it means just what I choose it to mean -- neither more nor less.'

As usual

[spiritplumber]

As usual, the "hacked" (rooted by the user, possibly carrying a custom ROM) device is more secure than the "secure from factory" device. When will people learn?

Re:

[Bengie]

I admit, I am not familiar with rooting or what you can do after, but most stories that I have seen about really bad malware on android stealing normally secure information, generally only affects rooted phones.

Re: As usual

[BAReFO0t]

That is complete nonsense.

Malware targets security holes, using exploits. If you ever saw an app that advertised "rooting", like KingoRoot, that is how they do it too. (Don't use such tools. They are for idiots.)

What malware author would target only that minority of competent users (those who have root access to their OWN phones) anyway?

You may have seen root users reporting the malware because those are the only one with the competence and ability to even tell they are infected.

Re:

[MrKaos]

What malware author would target only that minority of competent users (those who have root access to their OWN phones) anyway?

The thing that concerns me is I don't have root access to my own phone by default. Granted that most people wouldn't know how to use it, but it would be sure handy to be able to be able to set my own security policy by default for the phone as opposed to being forced to trust it - which I don't.

So who really owns the phone I paid for?

Re:

[swillden]

The thing that concerns me is I don't have root access to my own phone by default. Granted that most people wouldn't know how to use it, but it would be sure handy to be able to be able to set my own security policy by default for the phone as opposed to being forced to trust it - which I don't.

What's an example of a security policy you would like to set? If it's a good idea, I'm happy to help get it into the next release of Android (well, probably the 2021 release; the 2020 release is all but done).

Re:

[MrKaos]

The thing that concerns me is I don't have root access to my own phone by default. Granted that most people wouldn't know how to use it, but it would be sure handy to be able to be able to set my own security policy by default for the phone as opposed to being forced to trust it - which I don't.

What's an example of a security policy you would like to set? If it's a good idea, I'm happy to help get it into the next release of Android (well, probably the 2021 release; the 2020 release is all but done).

Well, I'd like to start with an app wide permissions policy so that I can *exclude* certain apps from accessing phone features they don't need, e.g. why does a torch function need to access my address book, kind of sillyness. Fine if the access policy for the app is set to allow all requested initially for the bulk of users who think they don't care, however I'd like the facility to deny all, by default and if it breaks the app I can then decide if I value this functionality enough to grant it access.

By p

Re:

[swillden]

Well, I'd like to start with an app wide permissions policy so that I can *exclude* certain apps from accessing phone features they don't need, e.g. why does a torch function need to access my address book, kind of sillyness.

You can already do this, though not with every possible permission. For example, network access is universally allowed to all apps. You can definitely block Contacts (your example).

Also, why are you using a flashlight app at all? It's been a system feature for several years.

To manage app permissions Go into Settings -> Apps & Notifications -> Permission Manager. You'll see a list of permissions, and for each you'll see a count of how many apps have been allowed that permission of how many

Re:

[Mattcelt]

You lost credibility as soon as you asked the question, 'why are you...' Why s/he is doing something is absolutely, completely irrelevant, and misses the point entirely.

S/he was using a torch app as an example; there are tens, if not hundreds of thousands of other examples as a variation on that theme.

You asked what they wanted to see as features. They responded, very specifically, what features they wanted. You then replied with ways they could sort of, almost, but not quite, if-you-squint-your-eyes-jus

Re:

[MrKaos]

The general consensus is that too small a percentage of the 3B+ Android users would have any idea how to use this, so it doesn't make sense to implement and maintain it.

I'm you. I'm one of the people who show people how to do it. After that they can teach each other.

However, there is one way you can do it easily enough: run a VPN server and configure your phone to use that VPN

Thanks for the tip but it doesn't really solve the problem. I want to stop information leaking out of the device so I can trust it.

This is a topic of regular debate.

Every aspect of the phone can be used to access the internals of our private lives and I can't even put up a firewall. I don't trust the platform without having full control of root access to maintain the integrity of device myself. The *why* and *what* I want to do with is no

Bengie's right. Malware with root access is bad

[raymorris]

It's bad when malware has root access. Over the last couple years, some of the really bad Android malware has indeed received root from - people who have root.

I rooted my phone, and I understand why you might want to root yours. And rooting involves bypassing the security restrictions of the OS. That does not make your device safer.

Additionally those who root their phones are at least a thousand times more likely to have set them to allow installation of apps from unknown sources (sources other than the Pl

Re:

[Bengie]

My limited understanding based on what I have read is that rooting generally requires disabling certain security features. I would understand that it is possible to add some features back in after rooting, but generally I see stories that say people root their phones and it leaves them wide open to certain types of malware. For example. If I want to get my Google Auth security key, I have to root my phone. Once I root it, I can trivially access the the "secure" data. Just that simple bit of information, I c

Re:

[mccrew]

Aw Geeze, are you trotting out the old Slashdot blame-the-user straw man?

If you are suggesting that vendors should be held to much higher standards, then I'm on board with you. (and skip the rest of this)

What is it specifically that people are supposed to learn? That in order to pass their smartphone license Slashdot approved certification they have to put their lives on hold and become an expert on programming smartphones, loading custom firmware, writing iptables rules, and boning up on the intricacies

Re:

[swillden]

As usual, the "hacked" (rooted by the user, possibly carrying a custom ROM) device is more secure than the "secure from factory" device. When will people learn?

Absolutely wrong.

Although there are some great security-focused custom ROMs out there (GrapheneOS comes to mind), if your device is rooted it is strictly less secure than a factory device. I'm a member of the Android Platform Security team and if you disagree with the last statement I have a data point for you: No one on the Android security team uses a rooted device for either personal or corporate data. Rooting seriously undermines the Android security model, especially if you use root to disable SELi

Old-school methods

[SirJorgelOfBorgel]

This whole method wouldn't work on any modern device following Google's recommendations for partition setup and security. On such a device you wouldn't be able to modify the system partition even with root and if you did it wouldn't boot.

install-recovery hasn't been supported since several Android versions, and it together with chattr are very old-school ways of root survival. Every non-malicious jailbreak app covering the "vulnerable" Android version uses them, they use it to keep the device jailbroken thr

Re: Old-school methods

[BAReFO0t]

Don't worry, Google will do that for them.
(AFAIK, the Play "store" has the feature to automatically install all your apps when you start using another phone with the same Google account.)

Been waiting for this.

[278MorkandMindy]

Can't for love nor money root my phone, time to give this a crack??

Root Locked Phone

[sonwon]

So I am wondering if I could exploit this method or code to root my locked phone.