XHelper: Restarting your smartphone or using an antivirus will not remove this malware from your system

The emergence of a new Android malware, known as xHelper, has caught the attention of digital forensics experts and antivirus firms due to a dangerous mechanism that allows it to reinstall itself on the infected device, making it almost impossible to remove.

The first reports of xHelper infections were filed in March, starting with a few hundred devices, although it is now estimated that the number of infected smartphones exceeds 45k Android smartphones. In addition, a report from security firm Symantec mentions that more than 120 new devices are infected daily.

Regarding the attack vector, digital forensics experts mention that malware operators manage to infect devices by redirecting victims to websites that offer third-party apps and that are not found in the Play Store. The code in these apps downloads the xHelper Trojan.

While this malware does not focus on data destruction or theft, researchers who have analyzed it conclude that the Trojan is capable of displaying pop-up ads and spam notifications in an intrusive and persistent manner. These ads and notifications invite victims to install other third-party apps, so it’s likely that xHelper operators will earn revenue for each installation of the promoted apps.

XHelper process on Android. Source: Malwarebytes

The behavior of xHelper has impressed the researchers, as they discovered that, unlike other variants of mobile operating system malware, xHelper is able to install itself as a standalone service after the installation of the app where it is content. “Due to this feature, uninstalling the initial app will not remove this malware from the infected device”, the experts added.

Another intriguing feature of this malware is its ability to reinstall itself: “Even if users manage to detect the xHelper service in operating system apps, it is not possible to remove it conventionally. If removed, xHelper reappears on the OS a few minutes later, regardless of whether the user has performed a factory reset,” the digital forensics experts mention. This malware is even able to activate the ‘Install apps from unknown sources’ option by itself. 

Although some users have managed to permanently remove this malware using paid antivirus tools, apparently this is not a functional option for all xHelper victims. International Institute of Cyber Security (IICS) digital forensics experts mention that this is due to the constant evolution of malware, as operators keep sending xHelper code updates.

The danger does not end there, as the antivirus firms that have analyzed this malware consider it likely that the operators will include new and more risky features, such as installing other malicious apps, ransomware infections, data theft malware, botnet code and more. Users concerned about the security of their mobile devices can check the running services of their OS and, in case of finding signs of infection, look for the best option to remove xHelper permanently.