Malwarebytes experts offer a new way removal of the xHelper trojan, not implying a complete flashing of the device. But first, remember what it is all about and why there are so many problems with xHelper.
XHelper was first spotted by experts in the spring of 2019, and the first detailed report on the problem appeared in August, when experts Malwarebytes reported that the malware had already infected 35,000 devices.
In the fall of 2019, a new malware review appeared, published by Symantec experts, who claimed that the number of infected devices had already exceeded 45,000, and on average xHelper infected 131 new victims per day (about 2,400 new victims per month), most of which were detected in India, USA and Russia.
The main source of infections are redirects and suspicious sites that redirect users to pages with Android applications. Such sites instruct the user in detail how to download applications not from Google Play, and the code hidden in the applications ultimately leads to the loading of xHelper.
The most interesting feature of xHelper is that it does not work like most Android malvari. After the trojan gains access to the device through the initial application, xHelper installs itself as a separate standalone service. As a result, uninstalling the original application does not remove xHelper, and the malware continues to display advertising windows and notifications to the victim.
Worse, even if the victim finds the xHelper service in the OS settings, deleting it will not help the case either, as the trojan is reinstalled every time, even if the user resets the device to the factory settings. In some cases, users complained that even uninstalling the xHelper service and disabling the ability to install applications from unknown sources did not help: the device appeared to be re-infected literally a few minutes after cleaning, and the option “install apps from unknown sources” turned out to be active again.
In fact, to remove xHelper, even resetting the device to the factory settings was not enough, and the only available affected option was a complete flashing of the infected device (which is not always possible).
In 2019, Malwarebytes and Symantec experts were unable to understand how xHelper “survives” after the described actions. There was no Trojan interference in the operation of system applications and services, and Symantec believed that xHelper was unlikely to be preinstalled on devices out of the box, although the malware actually appears more often on devices of specific brands.
Over the past few months, Malwarebytes researchers have continued to study the threat and have now published a new report. Unfortunately, Malwarebytes experts still have not figured out exactly how the malware installs itself on infected devices. But it was possible to find a new way to remove malvari, which does not imply flashing.
Researchers say that xHelper, apparently, somehow exploits the process inside the Google Play Store to initiate reinstallation, and the malware survives resetting to factory settings using special directories that it creates on the device and where it hides its APK. The fact is that, unlike applications, directories and files are saved on the device even after resetting to factory settings. And after the reset, the Google Play Store performs some kind of undefined operation (presumably this is some kind of scan), after which xHelper is reinstalled and reappears in the system.
Now, experts suggest the following scheme for removing xHelper from infected devices.
- Install any file manager from Google Play, which has the ability to search files and directories.
- Temporarily disable Google Play to prevent re-infection (Settings-> Applications -> Google Play Store and click "Disable").
- Install and run the application Malwarebytes for AndroidTo determine the name of the application under the guise of xHelper. You should search and delete applications whose names contain the words fireway, xhelper and Settings (only if there are two Settings applications).
- Open the file manager and search for anything starting with com.mufc. If something is found, you should record the date and time of the last change.
- Delete everything that starts with com.mufc and any directories with the same creation time (except for main directories such as Download).
- Turn on Google Play again.