Any device is vulnerable to malware if not properly secured. New research from Dr.Web, an online group of cybersecurity experts reveals about a dangerous malware that’s almost impossible to be removed from hosts! This malware named Xiny is exclusive to Androids and particular versions only.

Researchers observed a new variant of Xiny malware with an improved self-defense mechanism where this malware targets only the older versions of the Android devices and gains the complete root access of the vulnerable Android device.

This malware called Xiny, which was first found in 2015 and actively infecting phones since 2016, is now live again. This malware’s named as Android.Xiny. and has infected millions of Android smartphones to date.

It infects Android device version Android 5.1 and below, according to a Google report dated May 7, 2019, 25.2% of users are still using Android 5.1 and below devices.

android usage

An interesting thing here is, this malware is subjected to only Androids and that too, phones running on versions 5.1 and below only.

We may wonder who’ll be using such outdated OS eve today, but Google reports show that over 25% of total active Android phones are version 5.1 and below. That contributes to more than 500 million smartphones in the market.

Also Read: How to create a virus

What Does It Do?

Once the Xiny Malware is infected device, attackers install apps that comes under pay-per-install referral programs for monetary benefits. In some cases, they use to install tons of harmless apps which may render the device non-operational.

Once launched it updates “/system/bin/debugged and /system/bin/ddexe” to get launched automatically and also updates system directories. It also contains a list of apps and files to delete from the device, to free up memory space.

Too Hard To Be Removed

Researchers revealed that this trojan malware is so hard to be removed from the infected handset. It’s typical that, this malware is set in a read-only file rather than app format, making it harder to be deleted.

Researchers have tried a lot to remove this app from the infected device, but it’s so strong to reincarnate. Though once deleted somehow, it would revive when the phone’s booted. This malware will be coming with most harmless applications on Playstore and takes over handset to dump malware. A thing to note here is, Xiny is functional only if the user grants root access to the phone only.

How can these trojans be neutralised?

To get rid of Android. Xiny. 5260, one can reflash the device if the corresponding firmware is available. But is there another way to delete the malware? It is difficult but not entirely impossible. There are several ways to accomplish this.

To gain root access, one can resort to exploits that are implemented as library files. Unlike executable code, library code won’t be blocked by the trojan. Another option is to use the trojan component that grants root permissions to its other components.

The instruction is transmitted using this socket path: /dev/socket/hs_linux_work201908091350 (a different path may be used by other trojan versions). To circumvent the altered mount routine, one can use that very ‘magic’ mount flags value or invoke the required system call directly.

If your device has been infected by this Xiny Malware, we recommend that you reflash your device with official firmware. However, don’t forget that reflashing a device deletes all user files and apps, so create backups before you proceed.