In the past few months, some Android users have been plagued by a malware called xHelper, and its automatic reinstallation mechanism is helpless. xHelper was first discovered in March. By August, it gradually infected more than 32,000 devices. As of this month, according to Symantec’s data, the total infection has reached 45,000. The malware infection speed continues to rise. According to Symantec, xHelper generates an average of 131 new victims per day and about 2,400 new victims each month.
According to Malwarebytes, the source of these infections is “web redirects,” which sends users to web pages hosting Android apps. These sites guide users on how to indirectly load unofficial Android apps from outside the Play Store. The hidden code in these applications will download the xHelper Trojan.
The good news is that the Trojan is currently not performing destructive operations, and most of the time it displays intrusive pop-up ads and spam notifications. Ads and notifications redirect users to the Play Store and ask users to install other apps—in this way, xHelper makes money from pay-per-install.
The annoying thing is that the xHelper service cannot be removed because the trojan reinstalls itself each time, even after the user has factory reset the entire device. How xHelper survives after a factory reset is still a mystery. However, both Malwarebytes and Symantec stated that xHelper will not tamper with system services and system applications.
In some cases, users say that even if they remove the xHelper service and then disable the “Install apps from unknown sources” option, it will re-infect the device in a matter of minutes. In a recent blog post, Symantec said that the Trojan is still evolving, and regularly released code updates.