Persistent malware reinstalls itself on Android devices even after factory reset
Apparently, there are some malicious apps that can be installed from Google Play, even though Google is trying to immediately delete such apps when it finds them. However, some of them have been capable of logging in to your Google and Facebook accounts, spreading malware or changing your device’s configuration.
The cybersecurity company Malwarebytes, which has been working to limit cyber threats and to find ways to disinfect devices, announced its professionals have stumbled upon the most persistent malware for Android they have ever seen. The virus is called xHelper and it’s a trojan dropper that invisibly installs itself on a given Android device, downloads additional malware and displays ads to an extent that the phone becomes almost unusable.
We all know that when you’re fighting something cyber-terrible, your last resort is a factory reset of the affected Android device. However, even after this action, the nasty malware manages to reinstall itself. While trying to find a way to resolve the issue, Malwarebytes actually discovered that the installation comes from Google Play. Somehow, the malware was being triggered by Google Play to reinstall itself.
You don’t have to worry that Google Play itself is infected though - Malwarebytes are assuring us it’s not Google Play that’s infected, but the malware could be using Google Play as a smokescreen to hide its real source.
Symantec is also raising awareness for this malicious trojan. The app is targeting US and Russian users and has infected over 45,000 devices. The virus xHelper has been on the malware scene since May 2019.
However, Malwarebytes is sharing with us the steps to remove it and stop it from reinstalling itself:
- Malwarebytes recommend to install their free app for Android for the main part of the virus deletion (it’s probable that you can use other anti-malware apps as well but we can’t be sure)
- Install a file manager of your choosing from Google Play
- Disable temporarily Google Play by going into Settings > Apps > Google Play Store
- Run a scan in Malwarebytes’ app to remove xHelper and other malware, or search manually for names such as fireway, xhelper and Settings (only if two settings apps are displayed)
- Open the file manager and find any file starting with com.mufc.
- If you find it, take a note of its last modified date (you can sort by date to find information more easily)
- Delete anything starting with com.mufc. as well as anything from the same date (except core directories such as Download or others)
- Re-enable Google Play
Even though it’s not possible to know every malware in existence, there are several security practices that everyone can follow to limit their exposure to unwanted software. Security professionals advise to keep your software up to date with all security patches available, not to download apps from unfamiliar websites or untrusted sources, to be diligent with granting permissions to an app, to regularly back-up your data and to install a security app of your choosing for additional protection.