Malware in Android is not a new thing. From Trojans to spyware to adware, Android has become a favorite target of attackers. This year, cyberattacks targeting mobile devices have doubled compared to last year, according to the Cyber Attack Trends: 2019 Mid-Year Report by a security researcher, Check Point.
This is due to the increased usage of mobile banking applications.
Last July alone, 25 million Android devices were silently infected with the malware called Updates for Samsung. The app, which had 10 million downloads before it was pulled out from Google Play Store, tricked people into paying for the supposed-to-be free updates. When you consider all the other cyberattacks on Android devices, the number of infected smartphones is staggering.
But you know what is scarier than a malware?
An unremovable malware.
And this is the case with the xHelper malware that has left 45,000 Android device owners extremely frustrated. The xHelper malware can’t be detected and removed by a regular mobile antivirus solution. Even uninstalling the app does not help because the malware just keeps on reinstalling by itself.
And most of all, doing a factory reset is useless because the malware can survive it somehow. This persistent malware hides itself from the users, downloads other malicious apps, and display annoying advertisements.
What Is xHelper Malware and What Does It Do?
xHelper is a Trojan.dropper that is distributed via web redirects. When a user visits a particular website set up by the attacker, the traffic is redirected to another site hosting Android apps. These unofficial apps outside the Google Play Store hide codes that download the xHelper malware.
Once installed, you might notice an icon in the notification tray titled xHelper. After a few minutes, you’ll receive additional notification about new apps installed by the Trojan. The malware has no regular user interface so it is not listed in the device’s application launcher, so you can’t manually launch the app. It is launched by external factors, such as when the device is rebooted, when an app is installed or uninstalled, or when the device is connected or disconnected from power.
Once the malware is launched, it registers itself as a foreground service, making it difficult to kill, even when memory is low. In the case that the malware is stopped, it quickly restarts the service.
Aside from downloading malicious software, the malware also delivers annoying pop-up ads on the device. To find out whether your device is really infected, go to the App info section of your device and see if xHelper is listed there. If it is, then you’re in trouble.
xHelper is so persistent that it is almost impossible to remove. According to several user reports, removing the xHelper service does not work because it just comes back again after a few minutes. Even when the Install apps from unknown sources option is disabled, the malware keeps turning the setting back on after some time.
Using regular security software for mobile devices is not enough to remove malware from android. Several users also tried resetting their devices to their factory settings, but it didn’t work either.
So what do you do when your device is infected with persistent malware, such as xHelper? And why is it unremovable in the first place?
How Can Malware Survive a Factory Reset?
Mobile users believe that doing a factory should wipe everything out on the device, including the malware. In most cases, doing this should get rid of common malware. When you do a factory reset, all your device settings, user data, files, third-party apps, and other associated app data from your Android device’s internal flash storage will be erased. The process will return the device to the condition it was in when it was shipped out by the manufacturer.
To reset your phone to its factory settings, just go to the device’s Settings and find the reset options. Tap on Erase all data (factory reset) or Factory data reset, depending on your mobile device. This should wipe out all your phone’s data and make it seem brand new again.
Unfortunately, persistent malware, such as xHelper, cannot be removed even after doing a factory reset.
Here are some ways how to remove malware from android and can survive a factory reset:
- If the factory backup location becomes infected by malware or is the source of the infection, the malware will just reinstall itself after the reset.
- Some malware entities are designed to be aware when a factory reset is being done and can intercept or stop the process.
- If the infection is on the local network level, resetting the device will not help because the malware will simply reinstall itself when you reconnect the device to the network.
In the case of xHelper, Symantec reveals that the attackers are focusing on specific brands based on user reports. Symantec did not mention which brands are being targeted, but the security company believes that the malware did not come preinstalled on the infected devices because the malicious apps don’t have any indication of being system apps. But because the malware keeps reinstalling itself despite various removal processes, Symantec thinks that another malicious system could be persistently downloading the malware.
How to Remove Malware from Android
If you suspect your device to have been infected by malware, the first thing you need to do is to disconnect it from the internet to remove malware from android. This is to prevent the malware from communicating with its server and passing on your personal information or downloading more malicious software, such as the case with xHelper. Once you’ve done so, follow the steps below to remove malware from your android device:
1. Run a scan of your mobile device
If you don’t have a mobile antivirus, make sure to download one from the Google Play Store before disconnecting your device. Once you have an antivirus or anti-malware installed, run the app to scan your device. If the antivirus failed to detect the malware, try scanning using different antivirus software until you find one that does.
According to Malwarebytes, the Malwarebytes for Android app can remove the Android/Trojan.Dropper.xHelper malware. You can also try Bitdefender or Kaspersky.
2. Uninstall apps in Safe Mode.
To prevent malware from running or hiding when you’re trying to remove it, boot your device into Safe Mode so that only the necessary system is loaded.
To restart your device into Safe Mode, follow the steps below:
- Press and hold the Power button on your phone and Android prompts you to turn off your device.
- Tap and hold Power Off on the screen for a few seconds until Android asks you to confirm that you want to boot into Safe Mode.
- Tap OK and wait for the device to restart.
When you see the Safe Mode badge on the screen, you can then start uninstalling the malicious apps associated with the malware. Delete all junk files using an Android cleaner app to make sure that no malware files are left. This prevents malware from being able to re-infect devices because of leftover files in the system.
Once you have uninstalled all apps and deleted all files associated with the malware, restart your phone in normal mode and observe if the malware is completely gone. If the malware comes back, do the next step below.
3. Do a hard reset using Recovery Mode.
If doing a factory reset from the Settings of the device does not remove the malware from android, you should do a reset from the Recovery Mode instead. But before you do, you need to wipe the cache partition to ensure that all system caches are deleted.
To wipe the cache partition, you need to navigate to the recovery menu to do so.
Here are the steps on how to do a wipe cache partition and factory reset using Recovery Mode:
- If your device is on, turn it off.
- Hold the Power and Volume keys down.
- Tap Start when you see the arrow pointed at the power button. You can use the Volume keys to scroll up or down, and the Power key to select an option.
- Scroll down by pressing the Volume down button until Recovery Mode is highlighted.
- Press the Power Button to launch Recovery Mode.
- When the screen reloads, you will see the No command message with an Android robot in distress.
- Press and hold the Power and Volume Up buttons at the same time to launch Recovery Mode.
- Scroll down using the Volume button and highlight Wipe Cache Partition.
- Press the Power button to select the option and wait for the system cache partition to be deleted.
- Once cleared, you can now scroll through the menu and highlight Wipe data/factory reset.
- Press the Power button to select your option.
- Select Yes to confirm the reset.
- Once the device has been reset, you will be redirected to the same recovery mode menu. Highlight the Reboot system now and press the Power button to confirm.
Your device should now boot in normal mode using its factory settings. You may lose all your files, settings, and system updates, but at least you don’t have to deal with the pesky malware anymore.
Read Also: How to Convert Normal TV into Smart TV
How to Protect Your Device From Malware Infection
The damage brought about by malware infection is no joke. Depending on the type of malware that infects your device, your personal data and your device itself could be at risk. xHelper is on the lighter end of the spectrum because it only serves pop up ads that do nothing but annoy you, but its tenacity is what makes this malware dangerous.
Still, prevention is always better than cure. If you observe safe online practices, you don’t have to worry about dealing with malware at all.
Here are some tips to keep your device free from malware:
- Keep your software up to date. Manufacturers often include security patches that deal with recent threats in their updates.
- Do not download apps from unfamiliar websites. If the website you visited redirected you to another address or the website seems dodgy, get out of there as soon as possible.
- Install apps from trusted sources only. Stick with Google Play Store. And never, ever sideload any apps, even if you think they are safe.
- Pay attention to the permissions requested by apps. Whenever an app asks for permissions, ask yourself if that app really need access to that service for it to work. For example, a gaming app does not need access to your contacts or messages.
- Install a reliable mobile security app to protect your mobile device and personal data. And make it a habit to run a scan regularly, just to be safe.
- Make regular backups of important data. So that whatever happens, you still have a copy of your important files.
xHelper may have infected a small number of Android devices only, but this case is just the beginning. As malware evolves, detecting and removing them will be more challenging. In the end, caution and awareness are the keys to preventing malware infection. And if, unfortunately, your device becomes infected by persistent malware, simply follow the steps above to get rid of it completely.