xHelper is the gift that keeps on giving. And by gift, I mean “Android malware;” and by giving, I mean “opening up your system to all sorts of unpleasant attacks.” Like that creature from the Alien movies, the primary goal of xHelper is to persist—it keeps reinstalling itself your phone, even if you factory reset your device, so it can keep connecting to a remote command-and-control server and allow an attacker to conduct even more mayhem on your Android.
How do you destroy this cockroach of malware? Previously, we said the best way to deal with it was to avoid xHelper entirely. If you didn’t take our advice, or accidentally found yourself with immortal malware on your device, hope isn’t lost. Removing xHelper is a pain in the arse, but it’s possible.
It’s worth taking a moment to read how MalwareBytes managed to deduce that xHelper was to blame for the issues one of its forum users was having with her device. It’s fascinating, but it also will help you get familiar with the processes you’ll need to go through to get rid of xHelper on your device.
To get started, you’ll first want to grab a file manager app. For MalwareBytes’ user, she then had to disable Google Play Store—yes, the very app you use to download most of the apps on your device. That’s normal, as it’s how xHelper “hides.” An .APK launches, reinstalls xHelper’s primary malware, and then seemingly uninstalls itself (the source .APK) without your knowing. And that’s all triggered by something researchers have yet to figure out, which was the Google Play Store app in this case.
She then ran MalwareBytes to remove xHelper, and used the file manager app to search through her Android for anything starting with “com.mufc.” If the “last modified date” of anything she found matched that day’s date (and was close to the time when she ran MalwareBytes), she removed it—as long as it wasn’t a more obvious, critical folder like “Downloads.” She then enabled the Google Play Store app and seemed to be OK.
While that seems like a somewhat easy solution, it took a lot of digging to arrive at it. As MalwareBytes’ Nathan Collier writes:
This is by far the nastiest infection I have encountered as a mobile malware researcher. Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware. This fact inadvertently sent me down the wrong path. Luckily, I had Amelia’s help, who was as persistent as xHelper itself in finding an answer and guiding us to our conclusion.
I’m more than willing to bet that there’s going to be some variant of xHelper, or another malware entirely, that uses different techniques to hide itself on your device. And that’ll probably require more digging on your part to eradicate it—possibly even pulling up ADB and removing system apps until you can pinpoint the source of the issue on your infected device. I wouldn’t expect your average Android user to know how to do that.
My universal advice, aside from avoiding sideloading apps entirely, is to do anything and everything you can to stop processes and apps on your device. That includes any apps that might seem innocent at first glance. Once you’ve done that, you should hopefully be able to track down xHelper and get rid of it for good, but it’s not going to be a fun process.