At the beginning of 2019, malware researchers spotted a new threat that targets Android devices exclusively – the xHelper Trojan. Back then, the xHelper Trojan did not get much traction, as its reach appeared to be fairly limited. The creators of the xHelper Trojan, however, have decided to up their game and have achieved quite the success as this threat is now in the top ten most active Android malware strains. The xHelper Trojan has two different variants, and experts speculate that both are being distributed in the same manner. One of the variants is able to hide its components almost entirely, while the other one leaves some noticeable traces of its activity.

Propagation Methods

Normally, threats targeting Android devices tend to masquerade as popular applications so that users will not suspect a thing when installing them. However, the authors of the xHelper Trojan have decided to mask their threat as a rather obscure application, which only has a couple of dozens of downloads.

Semi-Stealthy xHelper Varian

Usually, when one installs an application, the application will add its icon to the device's app list. However, this is not what happens with the semi-stealthy variant of the xHelper Trojan. It is likely that the creators of this threat have opted to do this so that the user is less likely to notice the presence of any shady activity. Once the xHelper Trojan is installed on their device, it will begin spamming the user with advertisements in the notification bar. The advertisements appear to be promoting legitimate websites and services, so it is likely that the operators may be using pay-for-click revenue streams.

Fully Stealthy xHelper Variant

The fully stealthy variant of the xHelper Trojan is much more threatening than the semi-stealthy one. This variant of the xHelper Trojan appears to be used as a first-stage payload, which will allow its operators to plant more threats on the compromised host. If x Helper's stealth variant ends up on your device, you might not see any traces of its presence apart from a small entry titled 'xhelper,' which can only be seen if you view the 'App Info' menu closely. The xHelper Trojan will launch a '. JAR' file, which is heavily obfuscated and carries the secondary payload that will be planted on the device. It is not yet known what the purpose of the secondary payload is but experts speculate that it may enable the attackers to execute remote commands on the compromised host.

Many of the xHelper Trojan's victims appear to be situated in the United States. The servers, which are hosting these applications also are located in the United States so that it is likely that this is where the attackers are operating from. You should look into obtaining a legitimate anti-virus tool for your Android device if you want to avoid being a victim of a threat like the xHelper Trojan.

1 Comment

The stealth variant of x helper brings in tons of malware every minute. They reinstall and eat up battery life even when off internet and even on airplane mode.

Even Avast and Malwarebytes cannot see all of them.

I have to open file managers to manually to remove fireplo, helper, magic, homestyler. They become more persistent and hidden the more you remove them.


Most Viewed