Unremovable Android malware will reinstall itself even after a factory reset

Unremovable Android malware will reinstall itself even after a factory reset
Imagine your worst malware nightmare, because it might be here now. ZDNet is reporting about a particular "strain" of malware that has the ability to reinstall itself making it nearly impossible for Android users to get rid of. Known as xHelper, the malware was first spotted in March and five months later it had infected 32,000 phones. That number hit 45,000 this month. According to Symantec, 131 new handsets are infected each day, approximately 2,400 each month.

The malware shows popup ads and notification spam that brings in revenue to those behind it. It also takes infected phones to the Google Play Store. There, phone owners are told to install premium websites which pay commissions to the bad actors. The malware can be loaded onto an Android phone through the use of redirects that send users to a website hosting Android apps. Some of these apps that users sideload on their Android phone contain the xHelper trojan.

Once one of the infected apps is installed, xHelper installs as a separate download and removing the original app it was attached to will not get rid of it. In fact, Android users will never get rid of xHelper as it will reinstall even after a factory reset! This remains a mystery to both software developers Symantec and Malwarebytes. Both say that xHelper doesn't mess with the Android OS or system apps. And some victims found that even after removing xHelper and disabling the "Install apps from unknown sources" option, the malware comes right back on the user's phone.

While some paid versions of mobile anti-virus software are said to work, there seems to be a battle between those responsible for the trojan and developers of the anti-virus software with each trying to get the better of the other. The scary part of xHelper is that there might be another shoe to drop. Those responsible for it could arrange for the trojan to release a payload that might include malware that will steal your banking information, passwords and other personal information.

A word to the wise: with xHelper possibly attached to any app you sideload, you might want to refrain from this practice except for those sideloads that come from a developer you know and  absolutely trust.



1. Rocket

Posts: 696; Member since: Feb 24, 2014


2. mackan84

Posts: 609; Member since: Feb 13, 2014

I’ll bet they’ll be the next trillion dollar company.

3. Cmclend

Posts: 1; Member since: Oct 29, 2019

I had something like this in my Note 9, the only way I got rid of the Malware was by booting from bootloader which took 2hrs

8. AlienKiss

Posts: 241; Member since: May 21, 2019

What exactly took 2 hours? To turn off the phone and press 3 buttons at the same time or just booting into recovery/bootloader mode? I'm trying to imagine how this Trojan works. I was thinking that it may affect the files on the SD card (if available), or that it already made a backup of itself on the user's email address or cloud storage. Seems to be a very powerful piece of software that managed to obtain admin rights and hide itself in the Android installation kit of the os. I cannot imagine how else it could survive a hard reset. It may be doing it through a small script written in C# to create a buffer overflow. Since I don't install apps on a daily basis, I don't worry about it.

4. cheetah2k

Posts: 2288; Member since: Jan 16, 2011

On a samsung phone, just download the original firmware using the Frija windows app, and then flash that firmware using Odin.. On other android phones, well, that's another story, good luck!

5. The_Truths_Razor

Posts: 1; Member since: Oct 29, 2019

My guess would be that it exploits the backup feature for Google phones. So that when a user puts in there Gmail the link is stored there and starts downloading the seemingly inconspicuous code. To test don't back up anything after a HARD factory reset and use a different account.

7. Vokilam

Posts: 1343; Member since: Mar 15, 2018

I still don’t know why android fans are still Proud that they can sideload apps and use that argument against iOS users (even though you can easily sideload apps on iOS).

9. AlienKiss

Posts: 241; Member since: May 21, 2019

Funny, I remember that there was a built-in flaw that affected anything having wifi a few years back, including iOS, not only android. The idea is that you'll never be 100% safe as long as you have a internet connection and black hat hackers.

10. PartTimePhoner

Posts: 33; Member since: Jun 03, 2019

Though if you go around installing every single apk out there you should be expecting something like this. Weakest part of the chain is still the user

11. mentalerror

Posts: 16; Member since: May 19, 2016

I had this malware on my old cheap phone for more 2 years now. I never did manage to uninstall the app but I did however able to stop it from working by installing a network/internet blocker app

12. Sweetcheese

Posts: 43; Member since: Aug 23, 2018

A malware that survives a hard reset is next level even my network operator resends configuration settings after a hard reset as they think it's new

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.