xHelper – Phone Security Threat

A little more than half of the people who read this article will be reading it from an Android-based device or have an Android-based device that they use regularly. If you are one of the millions of people who use and love Android, make sure you pay attention!

Mobile device security is not a new concern. Essentially the moment consumer wireless devices started working their way into the corporate environment network security engineers everywhere became nervous, and for good reason. That reason is those mobile devices are outside of their control.

The latest security concern for Android devices came out earlier this year and is known as “xHelper.” What makes xHelper different from most other security threats is that it is next to impossible to clean off of a device. If you uninstall it, it comes back. You are out of luck if you think a factory reset will help you, because the program somehow manages to embed itself into the factory recovery settings during the original install settings.

Before you get overly worried, xHelper is not something you need to rush to push a patch out or take technical action to prevent. xHelper CANNOT install itself accidentally, automatically, or via script. This software needs quite a bit of manual intervention to install itself. This is unlike most security threats, and as such this issue can be completely prevented by user education.

According to security firm Malwarebytes, the source of the xHelper infection is various web redirects that take users to a website. That website then provides step by step instructions on how to “Side-Load” the program. Essentially, the instructions walk the user through creating a security hole in their device. It then walks them through using that security hole to manually install the bad program, clicking “ignore” and “install anyway” on several security prompts along the way. Despite the large and technically complex install method, over 45,000 users have the software installed with hundreds more installing every day.

I’m sure that of those 45,000 devices, that more than one of them probably has access to company resources such as email or line of business applications.

I think the biggest thing we should learn from the xHelper situation is it does not matter how much money you spend on security to keep your IT assets safe if you do not spend the proper time educating your workforce on how to safely and properly use the tools they have access to. This includes tools they may be providing themselves.

Some key things we should be teaching users:

  • Don’t click links unless you are 100% sure they are safe!
  • You should never install untrusted software. If you are unsure, ask your IT team for help.
  • Safe apps will never give you security prompts unless they are broken, or unsafe. Don’t install them!
  • If you have access to work resources on your device, treat it like your company owned computer. Carefully, thoughtfully, and ask for help frequently.
  • It is easier and cheaper for your company’s IT department check if the link you want to click is safe or if the app you need to download is good 10,000+ times than help clean up after a single security breach.

Have any questions about mobile security or user education? Feel free to contact us at any time!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author