Here Is How The Android Malware That Survives Factory Reset Works
A few months ago, researchers came across a peculiar Android trojan known as xHelper. The malware disguises itself as some cleaner or speed-up smartphone app.
The main trait of the virus that took security experts by surprise was the fact that the malware can survive the factory reset process. In other words, it was “unkillable” for normal Android users.
Since gaining knowledge of the existence of xHelper, researchers have been trying to understand its underlying mechanism. Now, Kaspersky researchers have finally surfaced with an answer.
The secret of “Unkillable” Android Trojan
According to their report, xHelper downloads the Triada Trojan, known for gaining root privileges, as soon as xHelper is installed on the Android device.
With root rights, Triada remounts the phone system partition into write-mode which is otherwise read-mode only, and installs malicious files on the system partition. This makes uninstalling the app useless since now the malware roots have reached the system partition.
On top of that, Triada gives these files an immutable attribute, which makes it difficult even for root users to weed out the malicious files. The malware also modifies the Android library to prevent anyone from mounting the partition into write mode, the researchers noted.
How to save your Android phone?
It is estimated that over 45,000 devices have been targeted by xHelper trojan so far. However, one crucial detail to note is that it primarily affects devices that are running Android versions 6 or 7.
Researchers say that one can remove the malware by completely reflashing the targeted device. But, since the virus is known to simply come back, especially on cheap Chinese devices that come with pre-loaded malware, it is best to either install a different ROM or replace the device altogether.