How to Get Rid of the Most Annoying Android Malware: XHelper

xHelper is a gift that never stops giving. And by gift I mean “Android malware”. and by “kickback” I mean “opening your system to all kinds of nasty attacks.” Like this creature from the alien movies, the main purpose of xHelper is to stay put – it keeps reinstalling your phone even if you do a factory reset, so that it can continue to connect to the remote command and control server and allow an attacker to wreak havoc on your Android.

How to destroy this malware cockroach? We said earlier that the best way to deal with this is to ditch xHelper entirely . If you haven’t followed our advice or accidentally discovered immortal malware on your device, hope is not lost. Removing xHelper is a pain in the ass, but it’s possible.

It is worth taking the time to read how MalwareBytes was able to conclude that xHelper was to blame for the problems one of the forum users had with her device. It’s fun, but it will also help you familiarize yourself with the processes you will need to go through to get rid of xHelper on your device.

To get started, you need a file management application . Then the MalwareBytes user had to disable the Google Play Store – yes, the very app you use to download most of the apps to your device. This is normal, because this is how xHelper “hides”. The .APK starts up, reinstalls the main xHelper malware, and then seemingly removes itself (the original .APK) without your knowledge. And all this is due to what researchers have yet to figure out, namely the Google Play Store app in this case.

She then ran MalwareBytes to remove xHelper, and used the file manager app to search Android for anything starting with com.mufc. If the “last modified” date of anything she found coincided with the date of that day (and was close to the time when she launched MalwareBytes), she would delete it – provided it was not a more obvious and important folder, such as “Downloads”. Then she turned on the Google Play Store app and it looks like everything is fine.

While this seems like a fairly straightforward solution, it took a long time to find it. As Malwarebytes’ Nathan Collier writes :

This is by far the most annoying infection I have come across as a mobile malware researcher. Usually, a factory reset, which is the last option, will solve even the most serious infection. I can’t remember the time when the infection persisted after a factory reset if the device didn’t have malware preinstalled. This fact accidentally sent me on the wrong track. Fortunately, I had the help of Amelia, who was persistent, like xHelper himself, in finding an answer and leading us to our conclusion.

I am more than willing to bet that there will be some variant of xHelper or some other malware that uses different methods to hide itself on your device. And it will probably take extra effort on your part to root it out – perhaps even pull out ADB and uninstall system apps until you can pinpoint the exact source of the problem on your infected device. I would not expect the average Android user to know how to do this.

My one-stop advice, besides completely avoiding downloading unpublished apps, is to do whatever you can to stop the processes and apps on your device. This includes any applications that might seem innocent at first glance. Once you’ve done that, you can hopefully track down xHelper and get rid of it permanently, but it won’t be a fun process.


Leave a Reply

Your email address will not be published. Required fields are marked *