Clever Android Virus Keeps Coming Back Even After a Full Reset

xHelper is an Android malware infection that has been around for a while, with security vendor Malwarebytes first detecting it in May 2019.

Since then, the majority of Android security apps added xHelper detection, which means that most devices should already be protected against this form of malware.

But as it turns out, cleaning a device is much harder than we think, as xHelper keeps coming back even after a full reset.

How is this possible? Malwabytes says xHelper is not based on pre-installed malware bundled with the firmware, but uses Google Play, which keeps serving the infection after a full device reset or a successful clean with an antivirus.

“Google Play was not infected with malware. However, something within Google PLAY was triggering the re-infection—perhaps something that was sitting in storage. Furthermore, that something could also be using Google PLAY as a smokescreen, falsifying it as the source of malware installation when in reality, it was coming from someplace else,” Malwarebytes explains in a new analysis of the malware.

Disabling Google Play

The security vendor details the case of a customer whose device was infected with xHelper. Following a closer inspection of the files stored on the compromised Android phone, it was discovered that a Trojan dropper was embedded into an APK located in a directory called com.mufc.umbtts.

The worse part is that researchers still don’t know how Google Play is used to trigger the infection.

“Here’s the confusing part: Nowhere on the device does it appear that Trojan.Dropper.xHelper.VRW is installed. It is our belief that it installed, ran, and uninstalled again within seconds to evade detection—all by something triggered from Google Play.  The “how” behind this is still unknown,” the Malwarebytes researchers explain.

To clean the infection, users first need to disable the Google Play store and only then run a device scan with an antivirus. Otherwise, the malware will keep coming back, despite the virus apparently getting removed.

Brought to you by Web Design
Kuala Lumpur

Leave a Reply

Your email address will not be published. Required fields are marked *

*