Android malicious app xHelper has been a major concern for mobile phone makers since it was exposed by security firm Malwarebytes in May 2019. Since then, most Android security applications have added xHelper detection, which in theory means that most devices should already be protected from this malicious program. But in fact, it’s much harder to get rid of xHelper completely than we thought, even if the factory reset still exists.
According to Malwarebytes, the source of these infections is “network redirection,” which sends users to web pages hosting Android applications. These sites teach users how to indirectly load unofficial Android apps from outside the Play Store. The code hidden in these applications will download the xHelper Trojan.
The good news is that the Trojan is not performing destructive actions at the moment, and most of the time it displays intrusive pop-up ads and spam notifications. Ads and notifications redirect users to the Play Store and ask them to install other apps – in which xHelper makes money from a pay-per-install approach.
It’s annoying that the xHelper service can’t be removed because the Trojan reinstalls itself each time, even after the user has factory reset the entire device. How xHelper survives after factory reset remains a mystery. However, both Malwarebytes and Symantec both said xHelper would not tamper with system services and system applications.
xHelper was first discovered in March. By August, it had gradually infected more than 32,000 devices. As of Last October, the total number of infections had reached 45,000, according to Symantec. The malware’s infection trajectory is on the rise. XHelper says xHelper causes an average of 131 new victims a day, with about 2,400 new victims a month.
In the latest Malwarebytes report, it reads: “Even though Google Play does not have a malicious program, some events in Google Play trigger a reinfection, possibly with some files stored in it.” In addition, these things may use Google Play as a disguise to install malicious programs from other sources. “
The security vendor detailed the customer’s device infection with xHelper. After carefully examining the files stored on the infected Android phone, we found that the Trojan had been embedded in the APK located in the com.mufc.umbtts directory. To make matters worse, researchers still don’t know how the vulnerability could trigger an infection using Google Play.
“This is the confusing part: the installation of Trojan.Dropper.xHelper.VRW is not displayed on the device,” explains the Malwarebytes researchers. We believe it will be installed, run and uninstalled again in seconds to evade detection – all of which are triggered by Google Play. “
To clear the infection, users first need to disable the Google Play Store before running a device scans with antivirus software. Otherwise, the malware will continue to spread even though the virus has apparently been removed.