xHelper: The Russian Nesting Doll of Android Malware


Level 68
Content Creator
Malware Hunter
Aug 17, 2014
The “undeletable” xHelper malware – which ultimately results in the installation of the Triada trojan – has become a virulent scourge for Android devices this year, according to researcher analysis – bringing with it a hallmark of being virtually indestructible for the common user.

xHelper is known for its persistence – it stays entrenched on the phone even if the device has been restored to factory settings by secretly re-installing itself. First spotted last year, researchers said they have observed ongoing surges in detections of the malware, which hides itself from users, downloads malicious apps onto the phone and displays pop-up advertisements.

According to analysis by Kaspersky, the latest sample of xHelper uses a Russian nesting-doll type architecture to worm its way into the heart of Android devices.

The infection chain starts by convincing a victim to download a rogue trojanized app – in this case, xHelper is embedded in an app that masquerades as a popular cleaner and speed-up utility for smartphones, according to an analysis published on Tuesday.

After installation, the supposed cleaner is listed as one of the installed apps in the system settings, but otherwise disappears from the victim’s view – there’s no icon present and it doesn’t show up in search results.

But according to Igor Golovin, research analyst at Kaspersky, a payload is decrypted in the background whose task it is to fingerprint the victim’s phone, including the unique user ID, manufacturer, model, firmware version and so on. The malware sends that off to a remote server and then starts unpacking a dropper-within-a-dropper-within-a-dropper – thus evoking the aforementioned nesting dolls (which are known as matryoshka in Russian).

Specifically, the fingerprinting module fetches one dropper (i.e., a downloader), which has its own bundled library that it uses to run itself, according to the analysis. This self-contained module has the sole task of launching yet another dropper, called “Helper.” But it doesn’t stop there – there’s another dropper, called Leech, nested inside the Helper downloader, which is then executed. [....]


Staff member
Malware Hunter
Jul 27, 2015
Information collected and shared for better overview on more vendors. Full list available here :
Last edited: