14 DAY TRIAL // An Android trojan first spotted in 2015 has returned five years later with updated capabilities, including a mechanism to uninstall pre-loaded apps to make room for its own malicious purposes.
The Android.Xiny trojan is specifically aimed at devices running older Android – an analysis conducted by Dr. Web reveals that the virus typically targets Android 5.1 and below.
At first glance, this might not seem like a big deal, but the security company points to data shared by Google last year which revealed that Android 5 and earlier were still powering some 25 percent of all Android devices out there. In other words, 1 in 4 Android users might be vulnerable to Android.Xiny attacks.
The updated version of the malware retains the capability of installing apps without user permissions, but this one comes with extra “features.”
Android.Xiny obtains root access on compromised Android devices and enables persistence to launch automatically even after a device boot. It does this by replacing system files /system/bin/debuggerd and /system/bin/ddexe, and waits for instructions from a command and control server.
How to remove the malware
The malware also removes installed apps that would provide the user with root access, technically making it much harder for anyone to clean the infection. Furthermore, it sets new rules in library file lbc.so to block users from reinstalling these apps.
The pre-loaded apps installed on an Android device are removed to make room for apps that it installs on its own. More often than not, these apps are being used by attackers to generate revenue from pay-per-install referral programs.
However, attackers often install tons of apps on a compromised device, which dramatically reduces performance and essentially renders it impossible to use.
Removing Android.Xiny isn’t an easy thing to do. You can either flash a clean ROM to start from scratch on a compromised device or attempt to reobtain root access using more complex methods.
“To gain root access, one can resort to exploits that are implemented as library files. Unlike executable code, library code won't be blocked by the trojan. Another option is to use the trojan component that grants root permissions to its other components,” Dr. Web explains.
Backups are obviously recommended in case reflashing the device is the only option following a successful Android.Xiny attack.