The only real way to win in that case is to flash a more secure ROM (if one is even available) or replace the phone. You can remove the malware via recovery - either by completely reflashing the device with stock images or through a more tedious replacement of the compromised system components for manual removal - but even then, some of the factory images for these cheap Chinese devices come loaded with malware which simply pulls down xHelper all over again. But that's not the only trick up xHelper's sleeve, it also modifies an internal Android system library (libc) to disable mounting the system partition in write mode at all, and outright uninstalls root-friendly apps like Superuser that might make the process a little easier. Furthermore, the files the malware writes are given an additional immutable attribute, so even a rooted user in the know can't easily muck them out. During normal system operation, it's mounted as read-only, so a user can't simply uninstall an app to get rid of all the malware's many tendrils, it's buried deep inside together with the components your phone needs to work. That's because usually the system partition can't be written to. Once it has root privileges, it directly installs malware to the system partition that is capable of re-infecting the phone at any time, and it's especially pernicious and difficult to remove.
The details come courtesy of a Kaspersky researcher (spotted by Ars Technica), who discovered that the malware downloads a rootkit that primarily affects Android versions 6-7 - somehow affecting Chinese phones more than others.
0 kommentar(er)
