The past six months, a new malware has made a name for itself after popping on the radar on a couple of antivirus companies. This malware has a self-reinstall mechanism making it almost impossible to remove.
The malware is named xHelper, which was discovered back in March has been slowing affecting Android devices. As per Malbytes, xHelper has infected 32,000 Android devices by August. Furthermore, as per Symantec, infected devices have reached to a total of 45,000 this month.
New Android malware displays intrusive pop-up ads and notification spams
According to Symantec, xHelper is making 131 new victims on average per day and around 2,400 victims per month. Most of the infected users have been spotted in India, the United States, and Russia.
The source of these infections is “web redirects” that send users to web pages hosting Android apps, says Malwarebytes. These sites instruct users on how to side-load unofficial Android apps from outside Google Play Store.
The codes that were hidden in these apps then download the xHelper trojan. Fortunately, the trojan does not carry out destructive operations yet. But for most of its operational lifespan, the trojan has displayed intrusive pop ads and notification spam says both Malwarebytes and Symantec.
These ads and spams will then redirect users to the Google Play Store, where victims will be asked to install other apps – this is where the xHelper gang makes money from pay-per-install commissions.
xHelper is pretty much is ‘unremovable’
But the thing that is most interesting is that xHelper does not work like most Android malware. Once the trojan gains access to an Android through an initial app, the malware installs itself as a separate self-standing service.
Uninstalling the main app won’t totally remove xHelper, even if users do a factory reset on their devices. In this case, the trojan will continue to live on the users’ devices continuing to show pop-up ads and notification spams.
It may be a mystery on how xHelper survives factory reset, however, xHelper does not tamper with system services system apps, says both Malwarebytes and Symantec. Additionally, Symantec also said that it was “unlikely that Xhelper comes preinstalled on devices.”
Apparently, according to some users, xHelper was removed when they disabled the “Install apps from unknown sources” option, the setting then kept turning itself back on. The device was reinfected in just a couple of minutes after being cleaned.
Many users took to Reddit to show their frustrations on the ‘unremovable’ malware and other sites such as Google Play Help and other tech support forums. Some users have even paid subscriptions to antivirus just to remove the malware, to which some of them are successful.
Security researchers warn users for a more dangerous feature of the xHelper
For the time being, xHelper is only engaging in ad revenue and spam, however, it also features far more dangerous features. Both Malwarebytes and Symantec said that the malware can download and install other apps.
With this, xHelper crew can only use this at any point to deploy second-stage malware payloads, like ransomware, banking trojans, DDoS bots, and password stealers. If you find that your device is infected, try out the methods that worked with a lot of users.