September 25, 2020

How to remove xHelper malware on Android

2 min read

xHelper is an Android malware that was detected by security vendor Malwarebytes in May 2019. This is a covert malware removal program. Even after the user restores the factory settings, the malware will be re-infected, causing continuous trouble to users around the world.

Malwarebytes’ security researchers have been studying the threat, and in a recent blog post, the team stated that, although it has not been clear how the malware reinstalls itself, they have indeed found sufficient information to permanently delete it and prevent xHelper from reinstalling itself after a factory reset.

According to the Malwarebytes team, xHelper found a way to use a process in the Google Play Store app to trigger a reinstall. With a special directory created on the device, xHelper can hide its Android application package (APK) on disk. Unlike apps, their directories and files remain on Android mobile devices even after a factory reset. Therefore, the device will continue to be infected until the directories and files are deleted.

Malwarebytes explained in its analysis of the malware:

Google PLAY was not infected with malware. However, something within Google PLAY was triggering the re-infection—perhaps something that was sitting in storage. Furthermore, that something could also be using Google PLAY as a smokescreen, falsifying it as the source of malware installation when in reality, it was coming from someplace else.

Method to remove xHelper

  • We strongly recommend installing Malwarebytes for Android (free).
  • Install a file manager from Google PLAY that has the capability to search files and directories.
    • Amelia used File Manager by ASTRO.
  • Disable Google PLAY temporarily to stop re-infection.
    • Go to Settings > Apps > Google Play Store
    • Press Disable button
  • Run a scan in Malwarebytes for Android to remove xHelper and other malware.
    • Manually uninstalling can be difficult, but the names to look for in Apps info are firewayxhelper, and Settings (only if two settings apps are displayed).
  • Open the file manager and search for anything in storage starting with com.mufc.
  • If found, make a note of the last modified date.
    • Pro tip: Sort by date in file manager
    • In File Manager by ASTRO, you can sort by date under View Settings
  • Delete anything starting with com.mufc. and anything with same date (except core directories like Download):
  • Re-enable Google PLAY
    • Go to Settings > Apps > Google Play Store
    • Press Enable button
  • If the infection still persists, reach out to us via Malwarebytes Support.