Android trojan xHelper can reinstall itself after removal and factory reset

While xHelper can be removed by antivirus software, it will soon reinstall itself. (Image via Malwarebytes forum user Amelia)

An Android trojan by the name of xHelper has been found to reinstall itself after removal. Worse still, the malware reinstalls itself even after a factory reset. Malwarebytes has devised a fairly complex manner of removing the malware, which it says is the worst mobile malware the antivirus firm has ever encountered.

Sam Medley, Published 02/15/2020

It seems that there’s always a new piece of malware wreaking havoc in the Android world. Oftentimes, a quick virus scan or factory reset will delete the malicious app and eliminate the threat. However, there is a relatively new trojan that has been able to evade most antivirus measures and reinstall itself, even after a factory reset.

The xHelper trojan, which was discovered in early 2019. The trojan is a rudimentary piece of malware that mainly uses the infected device’s resources to visit ad pages in order to generate revenue. This, in turn, hogs system resources and can rack up data usage, a particularly poignant problem for those on restricted or metered connections.

The biggest problem with xHelper is the sneaky way in which it persists. Upon installation, the trojan buries a dropper deep in the Android file system that is largely ignored by antivirus checks. Even worse, the dropper persists even after a factory reset. The dropper will then reinstall the trojan and drop more malware before uninstalling itself to remain hidden.

While the exact mechanics of how xHelper works are still not fully known, Malwarebytes has devised a plan of action to permanently remove the trojan. If you suspect your device of being infected by xHelper, run a virus scan with any reputable antivirus software. If xHelper pops up, Malwarebytes suggests you follow these steps (from the Malwarebytes blog). Note: these steps were devised with the help of a Malwarebytes forum user by the name of Amelia.

We strongly recommend installing Malwarebytes for Android (free).
Install a file manager from Google PLAY that has the capability to search files and directories.
- Amelia used File Manager by ASTRO.
Disable Google PLAY temporarily to stop re-infection.
- Go to Settings > Apps > Google Play Store
- Press Disable button
Run a scan in Malwarebytes for Android to remove xHelper and other malware.
- Manually uninstalling can be difficult, but the names to look for in Apps info are fireway, xhelper, and Settings (only if two settings apps are displayed).
Open the file manager and search for anything in storage starting with com.mufc.
If found, make a note of the last modified date.
- Pro tip: Sort by date in file manager
- In File Manager by ASTRO, you can sort by date under View Settings
Delete anything starting with com.mufc. and anything with same date (except core directories like Download):
Re-enable Google PLAY
- Go to Settings > Apps > Google Play Store
- Press Enable button
If the infection still persists, reach out to us via Malwarebytes Support.

Source(s)

Malwarebytes Blog

Routers with security vulnerabilities are the perfect gateway for malware (Image: Stephen Phillips)

Microsoft went from door to door to take malware-infected routers offline 07/20/2021

Cheetah Mobile's apps can no longer be downloaded on the Play Store. (Source: Cheetah Mobile)

Google announces the removal of about 600 apps from the Play Store 03/02/2020

The Android 11 preview has appeared. (Source: Google)

Google releases the first Android 11 Developer Preview 02/19/2020

Wacom hardware seems to do more than advertised

Another one caught red-handed: Wacom has been tracking your activity as well 02/06/2020

Avast-related search suggestions in Bing search (Source: Own)

The price of free software: Avast has been selling the browser history of its users 01/28/2020

Microsoft Modern Standby is causing some laptops to heat up like crazy

Microsoft Modern Standby is causing some XPS, Lenovo and Asus laptops to heat up like crazy 01/28/2020

Windows 7 will receive one more update despite its official death two weeks ago. (Image via Microsoft)

Microsoft to release update for Windows 7 despite ending support earlier this month 01/27/2020

Lenovo statement: Thunderbolt firmware responsible for ThinkPad USB C failures 01/25/2020

Thunderbolt 3 functionality is failing across multiple ThinkPad variants.

ThinkPad Thunderbolt 3 failure: What's happening, why it's happening, and how to fix it 01/24/2020

Several Ring home cameras breached, recycled passwords likely to blame 12/16/2019

Hackers target legacy Windows PCs to mine crypto via BlueKeep exploit 11/06/2019

If any of these app icons are on your iPhone or iPad, uninstall them immediately. (Image via Wandera)

Trojan malware found in 17 apps on Apple App Store 10/25/2019

The Int App Lock icon alongside some code it reportedly runs. (Source: Pradeo Lab)

The "Joker" malware is found to exist within yet another Android app 10/23/2019

An infected directory showing files with a

Lilu/Lilocked ransomware has now infected thousands of Linux servers 09/08/2019

Malware is now a problem when downloading textbooks. (Source: Wikipedia)

Kaspersky claims to have found malware in digital college textbooks 09/06/2019

Security researchers load ransomware onto DSLR over WiFi and encrypt photos in WannaCry-styled attack 08/12/2019

The Persistence of Chaos is a fully functional 10.2-inch Samsung NC10-14GB loaded with viruses. (Source: Deep Instinct)

10.2-inch Samsung NC10-14GB loaded with six dangerous viruses going for over US$1 million in live auction 05/26/2019

Loading Comments

Comment on this article

Fake Zoom, Samsung! Neither Galaxy ...

Blender 2.82 brings improved physic...

Sam Medley - Senior Tech Writer - 1344 articles published on Notebookcheck since 2016

I've been a computer geek my entire life. After graduating college with a degree in Mathematics, I worked in finance and banking a few years before taking a job as a database administrator. I started working with Notebookcheck in October of 2016 and have enjoyed writing news and reviews. I've also written for other outlets including UltrabookReview and GeeksWorldWide, focusing on consumer guidance and video gaming. My areas of interest include the business side of technology, retro gaming, Linux, and innovative gadgets. When I'm not writing on electronics or tinkering with a device, I'm either outside with my family, enjoying a decade-old video game, or playing drums or piano.

Please share our article, every link counts!

> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2020 02 > Android trojan xHelper can reinstall itself after removal and factory reset

Sam Medley, 2020-02-15 (Update: 2020-02-15)

Android trojan xHelper can reinstall itself after removal and factory reset

Source(s)

Related Articles