Security

Nasty old Android malware with new capabilities gets difficult to remove

There are over 2.5 billion Android users worldwide and that makes Android devices a lucrative target for malicious hackers and cybercriminals. In 2016, Dr.Web, a Russian anti-virus company spotted an Android malware dubbed Android.Xiny.5260 which at that time had not only infected millions of Android devices but also made it to over 60 gaming apps on Play Store.

However, 3 years later as 2019 came to an end, Android.Xiny.5260’s system monitoring routine software present on devices started detected changes in a file named /system/lib/libc.so which is a very important Linux library. When researchers investigated, it was found that these files belonged to the Android.Xiny malware family discovered back then.

Currently, though, we know that this Android malware only infects devices running Android version 5.1 or lower which would make up about 25% of the market equating to approximately half a billion smartphones.



This trojan operates by installing applications unauthorizedly, a similarity found between it and a range of other viruses out there. Hence, it would earn through ways such as displaying ads within those newly installed apps or by participating in “pay-per-install referral programs.” 

However, the concerning part is that it is very difficult to get rid of it. As detailed by researchers, the application’s APK file is set to read-only which although results in the application itself being deleted, it re-appears once you reboot your device. Therefore, it only serves as a temporary fix.

Yet, every malware has a cure and so does this one. If one resets the APK file’s attributes, the read-only property would be overread and the aforementioned re-appearing would no longer occur.


Nonetheless, this would require using anti-virus software to which you would have to grant root privileges to do so and not everyone would be comfortable in doing so. A recommended way is to select such a trusted app, remove the trojan and then revoke root privileges once done.

A second way is to flash your phone which is basically when you install a new version of Android or a different operating system manually. Dr.Web also elaborates on another method stating,

“ Another option is to use the trojan component that grants root permissions to its other components. The instruction is transmitted using this socket path: /dev/socket/hs_linux_work201908091350 (a different path may be used by other trojan versions). To circumvent the altered mount routine, one can use that very ‘magic’ mount flags value or invoke the required system call directly.”

Even though one has successfully removed this, it is important to remember that this is not the only threatening piece of malware out there. Over the past few months, we’ve seen banking trojans, apps that can bypass 2FA, apps that can even disable Google’s own security mechanisms & much more.

Hence, it is impossible to keep up with these so the best you can do is to stick with a good security solution for your smartphone along with employing a little bit of common sense – Godspeed!

You Might Also Like