Back in October, we warned you of a particularly nasty strain of Android malware called xHelper that had already infected 45,000 phones and seemed to be nearly impossible to remove. Even factory resets didn’t help.
Now researchers from Kasperky have figured out just how xHelper makes itself “unkillable,” and also how to, well, kill it.
The xHelper Trojan, which “disguises itself as a popular cleaner and speed-up app,” behaves like a matryoshka, a Russian nesting doll, using a multi-stage infection process, Kaspersky’s Igor Golovin wrote in a blog post earlier this week.
The end result is infection by Triada malware, which Kaspersky once called “organized crime on Android.” This new version of Triada embeds itself deep in the Android system partition, from which it can re-install itself and other malware after a factory reset.
And because at least three of the malicious apps involved in the xHelper/Triada infection process are “droppers” meant to install pretty much anything on a phone, you’ll be at risk from all sorts of malware.
What to do if you’re infected by xHelper
From there, Golovin writes, the only option is to completely reflash the phone’s firmware, which may be beyond the ken of many Android users.
Either method may be “pointless” in some cases, Golovin writes, because “the firmware of smartphones attacked by xHelper sometimes contains preinstalled malware that independently downloads and installs programs (including xHelper).”
The good news is that xHelper seems to affect primarily cheap Chinese-made smartphones running Android 6 Marshmallow or Android 7 Nougat, and which get their apps from sources other than the official Google Play store.
If you’re using a flagship or a mid-range Android phone, you’ve left the settings alone so it doesn’t accept apps from “unknown sources,” and, yep, you’re running one of the best Android antivirus apps, you’re probably in the clear.