This New Android Malware Can Survive A Factory Reset

Here’s a fun one: There’s new Android malware making the rounds that is not only irritating—thanks, pop-up ads—but it’s also incredibly difficult to remove from your Android device once you’re infected.

Though this somewhat-new “xHelper” malware has affected a low number of Android users so far (around 45,000, estimates Symantec), the fact that nobody has any clear advice on how to remove it is a worrisome fact. While the odds are good that you won’t get hit with this malware, given its low installation rate so far—even though it’s been active since March—you should still know what it does and how to (hopefully) avoid it.

As Malwarebytes describes, xHelper starts by concealing itself as a regular app by spoofing legitimate apps’ package names.

Once it’s on your device, you’re either stuck with a “semi-stealth” version, which drops an xHelper icon blatantly in your notifications—but no app or shortcut icons—or a “full-stealth” version, which you’ll only notice if you visit Settings > Apps & notifications > App Info (or whatever the navigation is on your specific Android device) and scroll down to see the installed “xHelper” app.

What does xHelper do?

Thankfully, xHelper isn’t destructive malware in the sense that it’s not recording your passwords, credit card data, or anything else you’re doing on your device and sending it off to some unknown attacker. Instead, it simply spams you with pop-up advertisements on your device and annoying notifications that all try to get you to install more apps from Google Play—presumably how the xHelper’s authors are making cash from the malware.

The dark side, as reported by ZDNet, is that xHelper can allegedly download and install apps on your behalf. It doesn’t appear to be doing so at the moment, but if this were to happen—coupled with the app’s mysterious ability to persist past uninstallations and factory resets—would be a huge backdoor for anyone affected by the malware.

Wait, I can’t uninstall it?

Yep. This is the insidious part of xHelper. Neither Symantec nor Malwarebytes have any good recommendations for getting this malware off your device once it’s installed, as the mechanisms it uses to persist past a full factory reset of your device are unknown. As Symantec describes:

“None of the samples we analysed were available on the Google Play Store, and while it is possible that the Xhelper malware is downloaded by users from unknown sources, we believe that may not be the only channel of distribution.

From our telemetry, we have seen these apps installed more frequently on certain phone brands, which leads us to believe that the attackers may be focusing on specific brands. However, we believe it to be unlikely that Xhelper comes preinstalled on devices given that these apps don’t have any indication of being system apps.

In addition, numerous users have been complaining on forums about the persistent presence of this malware on their devices, despite performing factory resets and manually uninstalling it. Since it is unlikely that the apps are systems apps, this suggests that another malicious system app is persistently downloading the malware, which is something we are currently investigating (keep an eye on the Threat Intelligence blog for more on this).”

So…

If you think you’re infected with xHelper, you can try downloading some standard antivirus apps to your Android device. It’s possible they might help, but I’d err on the side of free antivirus apps for now, lest you find yourself paying a chunk of cash for an app (or subscription) that doesn’t actually help you out at all. The xHelper malware is just that quirky.

I have the full belief that someone—Google itself, or one of the big antivirus players—will find a way to thwart and remove this malware, but it’s going to take a bit of time to get to that solution. In the meantime…

How to avoid getting hit with xHelper in the first place

Right now, the best thing you can do to prevent getting hit with this kind of malware is to be mindful of your web browsing habits. Make sure you aren’t getting redirected to scammy websites that encourage you to sideload unknown apps—or apps that appear safe—onto your device. When in doubt, only install apps from the Google Play Store.

Don’t sideload apps, as in, don’t download and install them manually on your device unless you really know what you’re doing, trust the app’s developer completely, and trust that the app you’re downloading is actually something safe from the developer it claims it is from. (While this won’t protect you one-hundred per cent of the time, sticking to the Google Play Store a lot safer than downloading random .APKs from websites you know nothing about.)

Comments


One response to “This New Android Malware Can Survive A Factory Reset”

Leave a Reply