Android users have been plague by a malware called xHelper. Its automatic reinstallation mechanism is helpless.
xHelper was first discovered in March. By August, it gradually infected more than 32,000 devices. As of this month, according to Symantec’s data, the total infection has reached 45,000. The malware infection trajectory continues to rise. According to Symantec, xHelper generates an average of 131 new victims per day and about 2,400 new victims each month.
According to Malwarebytes, the source of these infections is “network redirection”. It sends users to web pages hosting Android apps. These sites guide users on how to indirectly load unofficial Android apps from outside the Play Store. The hidden code in these applications will download the xHelper Trojan.
The good news is that the Trojan is currently not performing destructive operations. Most of the time it displays intrusive pop-up ads and spam notifications. Ads and notifications redirect users to the Play Store and ask users to install other apps—in this way, xHelper makes money from pay-per-install.
The annoying thing is that the xHelper service cannot be remove because the trojan reinstalls itself each time, even after the user has factory reset the entire device. How xHelper survives after a factory reset is still a mystery. However, both Malwarebytes and Symantec stated that xHelper will not tamper with system services and system applications.
In some cases, users say that even if they remove the xHelper service and then disable the “Install application from unknown source” option. It will re-infect the device in a matter of minutes. A few users have reported success with certain paid mobile anti-virus solutions.
In a recent blog post, Symantec said that the Trojan is still evolving. Its regularly released code updates explain why some anti-virus solutions remove xHelper in some cases, and in later versions. But not.
At the same time, Symantec also warned that although the Trojan is currently engage in spam and advertising revenue activities. It also has other more dangerous features. xHelper can download and install other applications. The xHelper team can use this feature to deploy a second-stage malware payload at any time, such as ransomware, banking Trojans, DDoS bots, or password stealers.