{
	"id": "7024ff04-bbea-4a4a-84a9-ff749eb6d4d6",
	"created_at": "2026-04-06T00:10:11.408916Z",
	"updated_at": "2026-04-10T03:21:23.615685Z",
	"deleted_at": null,
	"sha1_hash": "44960e8bae4c0d0aa4d715c1fdb3b592ca045f87",
	"title": "Unkillable xHelper and a Trojan matryoshka",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 572189,
	"plain_text": "Unkillable xHelper and a Trojan matryoshka\r\nBy Igor Golovin\r\nPublished: 2020-04-07 · Archived: 2026-04-05 14:50:45 UTC\r\nIt was the middle of last year that we detected the start of mass attacks by the xHelper Trojan on Android\r\nsmartphones, but even now the malware remains as active as ever. The main feature of xHelper is entrenchment\r\n— once it gets into the phone, it somehow remains there even after the user deletes it and restores the factory\r\nsettings. We conducted a thorough study to determine how xHelper’s creators furnished it with such survivability.\r\nShare of Kaspersky users attacked by the xHelper Trojan in the total number of attacks, 2019-2020 (download)\r\nHow does xHelper work?\r\nLet’s analyze the family’s logic based on the currently active sample Trojan-Dropper.AndroidOS.Helper.h. The\r\nmalware disguises itself as a popular cleaner and speed-up app for smartphones, but in reality there is nothing\r\nhttps://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/\r\nPage 1 of 7\n\nuseful about it: after installation, the “cleaner” simply disappears and is nowhere to be seen either on the main\r\nscreen or in the program menu. You can see it only by inspecting the list of installed apps in the system settings.\r\nThe Trojan’s payload is encrypted in the file /assets/firehelper.jar (since its encryption is practically unchanged\r\nfrom earlier versions, it was not difficult to decrypt). Its main task is to send information about the victim’s phone\r\n(android_id, manufacturer, model, firmware version, etc.) to https://lp.cooktracking[.]com/v1/ls/get…\r\nDecrypting the URL for sending device information\r\n…and downloading the next malicious module — Trojan-Dropper.AndroidOS.Agent.of.\r\nThis malware in turn decrypts and launches its payload using a bundled native library; this approach makes it\r\ndifficult to analyze the module. At this stage, the next dropper, Trojan-Dropper.AndroidOS.Helper.b, is decrypted\r\nand launched. This in turn runs the malware Trojan-Downloader.AndroidOS.Leech.p, which further infects the\r\ndevice.\r\nLeech.p is tasked with downloading our old friend HEUR:Trojan.AndroidOS.Triada.dd with a set of exploits for\r\nobtaining root privileges on the victim’s device.\r\nhttps://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/\r\nPage 2 of 7\n\nDecoding the URL of the Leech.p C\u0026C\r\nDownloading the Triada Trojan\r\nMalicious files are stored sequentially in the app’s data folder, which other programs do not have access to. This\r\nmatryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are\r\nknown to security solutions. The malware can gain root access mainly on devices running Android versions 6 and\r\n7 from Chinese manufacturers (including ODMs). After obtaining privileges, xHelper can install malicious files\r\ndirectly in the system partition.\r\nNote here that the system partition is mounted at system startup in read-only mode. Armed with root rights, the\r\nTrojan remounts it in write mode and proceeds to the main job of starting the tellingly named script forever.sh.\r\nTriada employs its best-known tricks, including remounting the system partition to install its programs there. In\r\nour case, the package com.diag.patches.vm8u is installed, which we detect as Trojan-Dropper.AndroidOS.Tiny.d.\r\nAnd several executable files get copied to the /system/bin folder:\r\nhttps://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/\r\nPage 3 of 7\n\npatches_mu8v_oemlogo — Trojan.AndroidOS.Triada.dd\r\ndebuggerd_hulu —AndroidOS.Triada.dy\r\nkcol_ysy — HEUR:Trojan.AndroidOS.Triada.dx\r\n/.luser/bkdiag_vm8u_date — HEUR:Trojan.AndroidOS.Agent.rt\r\nA few more files are copied to the /system/xbin folder:\r\ndiag_vm8u_date\r\npatches_mu8v_oemlogo\r\nA call to files from the xbin folder is added to the file install-recovery.sh, which allows Triada to run at system\r\nstartup. All files in the target folders are assigned the immutable attribute, which makes it difficult to delete the\r\nmalware, because the system does not allow even superusers to delete files with this attribute. However, this self-defense mechanism employed by the Trojan can be countered by deleting this attribute using the chattr command.\r\nThe question arises: if the malware is able to remount the system partition in write mode in order to copy itself\r\nthere, can the user adopt the same strategy to delete it? Triada’s creators also contemplated this question, and duly\r\napplied another protection technique that involved modifying the system library /system/lib/libc.so. This library\r\ncontains common code used by almost all executable files on the device. Triada substitutes its own code for the\r\nmount function (used to mount file systems) in libc, thereby preventing the user from mounting the /system\r\npartition in write mode.\r\nOn top of that, the Trojan downloads and installs several more malicious programs (for example, HEUR:Trojan-Dropper.AndroidOS.Necro.z), and deletes root access control applications, such as Superuser.\r\nHow to get rid of xHelper?\r\nAs follows from the above, simply removing xHelper does not entirely disinfect the system. The program\r\ncom.diag.patches.vm8u, installed in the system partition, reinstalls xHelper and other malware at the first\r\nopportunity.\r\nhttps://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/\r\nPage 4 of 7\n\nInstalling programs without user participation\r\nBut if you have Recovery mode set up on your Android smartphone, you can try to extract the libc.so file from the\r\noriginal firmware and replace the infected one with it, before removing all malware from the system partition.\r\nHowever, it’s simpler and more reliable to completely reflash the phone.\r\nBear in mind too that the firmware of smartphones attacked by xHelper sometimes contains preinstalled malware\r\nthat independently downloads and installs programs (including xHelper). In this case, reflashing is pointless, so it\r\nwould be worth considering alternative firmwares for your device. If you do use a different firmware, remember\r\nthat some of the device’s components might not operate properly.\r\nIn any event, using a smartphone infected with xHelper is extremely dangerous. The malware installs a backdoor\r\nwith the ability to execute commands as a superuser. It provides the attackers with full access to all app data and\r\ncan be used by other malware too, for example, CookieThief.\r\nC\u0026C\r\nlp.cooktracking[.]com/v1/ls/get\r\nwww.koapkmobi[.]com:8081\r\n45.79.110.191\r\n45.33.9.178\r\n23.239.4.169\r\n172.104.215.170\r\n172.104.208.241\r\nhttps://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/\r\nPage 5 of 7\n\n172.\r\n104.212.184\r\n45.33.117.188\r\n172.104.216.43\r\n172.104.218.166\r\n104.200.16.77\r\n198.58.123.253\r\n172.104.211.160\r\n172.104.210.184\r\n162.216.18.240\r\n172.104.212.4\r\n172.104.214.199\r\n172.104.212.202\r\n172.104.209.55\r\n172.104.219.210\r\n172.104.218.146\r\n45.79.177.230\r\n45.33.0.123\r\n45.79.77.161\r\n45.33.120.75\r\n45.79.171.160\r\n172.104.210.193\r\n45.33.0.176\r\n45.79.146.48\r\nddl.okyesmobi[.]com\r\n45.79.151.241\r\n172.104.213.65\r\n172.104.211.117\r\nddl.okgoodmobi[.]com\r\nMD5\r\nTrojan-Dropper.AndroidOS.Helper.h — 59acb21b05a16c08ade1ec50571ba5d4\r\nTrojan-Dropper.AndroidOS.Agent.of — 57cb18969dfccfd3e22e33ed5c8c66ce\r\nTrojan-Dropper.AndroidOS.Helper.b — b5ccbfd13078a341ee3d5f6e35a54b0a\r\nTrojan-Downloader.AndroidOS.Leech.p — 5fdfb02b94055d035e38a994e1f420ae\r\nTrojan.AndroidOS.Triada.dd — 617f5508dd3066de7ec647bdd1497118\r\nTrojan-Dropper.AndroidOS.Tiny.d — 21ae93aa54156d0c6913243cb45700ec\r\nTrojan.AndroidOS.Triada.dd —  105265b01bac8e224e34a700662ffc4c8\r\nTrojan.AndroidOS.Agent.rt — 95e2817a37c317b17de42e565475f40f\r\nTrojan.AndroidOS.Triada.dy — cfe7d8c9c1e43ca02a4b1852cb34d5a5\r\nTrojan.AndroidOS.Triada.dx — e778d4cc1a7901689b59e9abebc925e1\r\nTrojan-Dropper.AndroidOS.Necro.z — 2887ab410356ea06d99286327e2bc36b\r\nhttps://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/\r\nPage 6 of 7\n\nSource: https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/\r\nhttps://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/"
	],
	"report_names": [
		"96487"
	],
	"threat_actors": [],
	"ts_created_at": 1775434211,
	"ts_updated_at": 1775791283,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44960e8bae4c0d0aa4d715c1fdb3b592ca045f87.pdf",
		"text": "https://archive.orkl.eu/44960e8bae4c0d0aa4d715c1fdb3b592ca045f87.txt",
		"img": "https://archive.orkl.eu/44960e8bae4c0d0aa4d715c1fdb3b592ca045f87.jpg"
	}
}