Hello, welcome to the Wednesday, October 30th, 2019 edition of the Sansonet Storms, Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Semantic has a brief write-up of X-helper, Android Malaver, that has been on the increase over the last few months according

to Symantec with about 45,000 devices infected.

Now what makes this Malver kind of special is that it's very persistent, hard to get rid of,

and also not that easy to actually notice. It doesn't install itself as a

regular application but instead just as an application component. What that means for an Android

user is that you don't see the actual application as part of the regular user interface.

Instead, it launches itself based on a number of events.

So, for example, if you connect your phone to power or disconnected from power, if you reboot it,

and a couple of other actions are linked to this particular application component

and will start X helper.

Now once it's up and running it will connect to a command control server, this connection uses

TLS and also key pinning which means that you can't easily intercept a connection with

a standard man in the middle proxy.

Once connected to the command control server, it's then instructed to download and install

additional components.

If you manage to exit X Helper, well, it will just start itself again.

Now the good news if you want to call it that is that this application is not using a particular exploit to install itself.

It is installed willingly by users as a component of other software they may download.

So one step of course that you can take to protect yourself is to not download applications

...