Notebookcheck

Android trojan xHelper can reinstall itself after removal and factory reset

While xHelper can be removed by antivirus software, it will soon reinstall itself. (Image via Malwarebytes forum user Amelia)
While xHelper can be removed by antivirus software, it will soon reinstall itself. (Image via Malwarebytes forum user Amelia)
An Android trojan by the name of xHelper has been found to reinstall itself after removal. Worse still, the malware reinstalls itself even after a factory reset. Malwarebytes has devised a fairly complex manner of removing the malware, which it says is the worst mobile malware the antivirus firm has ever encountered.
Sam Medley,

Working For Notebookcheck

Are you a techie who knows how to write? Then join our Team! Especially English native speakers welcome!

It seems that there’s always a new piece of malware wreaking havoc in the Android world. Oftentimes, a quick virus scan or factory reset will delete the malicious app and eliminate the threat. However, there is a relatively new trojan that has been able to evade most antivirus measures and reinstall itself, even after a factory reset. 

The xHelper trojan, which was discovered in early 2019. The trojan is a rudimentary piece of malware that mainly uses the infected device’s resources to visit ad pages in order to generate revenue. This, in turn, hogs system resources and can rack up data usage, a particularly poignant problem for those on restricted or metered connections. 

The biggest problem with xHelper is the sneaky way in which it persists. Upon installation, the trojan buries a dropper deep in the Android file system that is largely ignored by antivirus checks. Even worse, the dropper persists even after a factory reset. The dropper will then reinstall the trojan and drop more malware before uninstalling itself to remain hidden. 

While the exact mechanics of how xHelper works are still not fully known, Malwarebytes has devised a plan of action to permanently remove the trojan. If you suspect your device of being infected by xHelper, run a virus scan with any reputable antivirus software. If xHelper pops up, Malwarebytes suggests you follow these steps (from the Malwarebytes blog). Note: these steps were devised with the help of a Malwarebytes forum user by the name of Amelia.

  • We strongly recommend installing Malwarebytes for Android (free).
  • Install a file manager from Google PLAY that has the capability to search files and directories.

    • Amelia used File Manager by ASTRO.

  • Disable Google PLAY temporarily to stop re-infection.

    • Go to Settings > Apps > Google Play Store
    • Press Disable button

  • Run a scan in Malwarebytes for Android to remove xHelper and other malware.

    • Manually uninstalling can be difficult, but the names to look for in Apps info are fireway, xhelper, and Settings (only if two settings apps are displayed).

  • Open the file manager and search for anything in storage starting with com.mufc.
  • If found, make a note of the last modified date.

    • Pro tip: Sort by date in file manager
    • In File Manager by ASTRO, you can sort by date under View Settings

  • Delete anything starting with com.mufc. and anything with same date (except core directories like Download):
  • Re-enable Google PLAY

    • Go to Settings > Apps > Google Play Store
    • Press Enable button

  • If the infection still persists, reach out to us via Malwarebytes Support.
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2020 02 > Android trojan xHelper can reinstall itself after removal and factory reset
Sam Medley, 2020-02-15 (Update: 2020-02-15)
Sam Medley
Sam Medley - Review Editor - @samuel_medley
I've been a "tech-head" my entire life. After graduating college with a degree in Mathematics, I worked in finance and banking a few years before taking a job as a Systems Analyst for my local school district. I started working with Notebookcheck in October of 2016 and have enjoyed writing news articles and notebook reviews. My areas of interest include the business side of technology, retro gaming, Linux, and innovative gadgets. When I'm not hunched over an electronic device or writing code for a new database, I'm either outside with my family, playing a decade-old video game, or sitting behind a drum set.