A new Android malware strain dubbed xHelper, which according to Symantec, has now infected a total of 45,000 devices since it was first discovered back in March, seems to have become nearly impossible to remove. As reported by Malwarebytes, the malware keeps reinstalling itself even after a factory reset (via ZDNet).
With most new infections being spotted in India, the US, and Russia, the malware is affecting an of average 131 new victims per day and around 2,400 new victims per month.
The main source of xHelper is believed to “web redirects” that send users to web pages hosting Android apps, which detail how to side-load unofficial Android apps. Hidden code in these apps then downloads the xHelper trojan.
For most of its operational lifespan, however, the trojan only shows intrusive popup ads and notification spam, without carrying out any destructive operations:
“The ads and notifications redirect users to the Play Store, where victims are asked to install other apps — a means through which the xHelper gang is making money from pay-per-install commissions.Once the trojan gains access to an Android device via an initial app, xHelper installs itself as a separate self-standing service.
Uninstalling the original app won’t remove xHelper, and the trojan will continue to live on users’ devices, continuing to show popups and notification spam.”
Symantec says the trojan is in “a constant evolution” with new code updates being shipped out regularly, which is why even most paid mobile antivirus solutions fail to remove it.