Malwarebytes experts offered a new way to remove the xHelper Trojan without complete flashing of the device.
Although first, let’s remember what it is all about and why there are so many problems with xHelper.Experts first spotted XHelper in the spring of 2019, and the first detailed report on the problem appeared in August, when Malwarebytes experts reported that the malware had already infected 35,000 devices.
In the fall of 2019, appeared a new malware review, published by Symantec experts.
The number of infected devices has already exceeded 45,000, and on average xHelper infects 131 new victims per day (about 2,400 new victims per month), majority of them were from India, the USA and Russia”, – said the Symantec researchers.
The main source of infections are redirects and suspicious sites that redirect users to pages with Android applications. Such sites instruct the user in detail how to download applications not from Google Play, and the code hidden in the applications ultimately leads to the loading of xHelper.
The most interesting feature of xHelper is that it does not work like most Android malware. After the trojan gains access to the device through the initial application, xHelper installs itself as a separate standalone service. As a result, uninstalling the original application does not remove xHelper, and the malware continues to display advertising windows and notifications to the victim.
Worse, even if the victim finds the xHelper service in the OS settings, deleting it will not help the case either, as the trojan is reinstalled every time, even if the user resets the device to factory settings.
In some cases, users complained that even uninstalling the xHelper service and disabling the ability to install applications from unknown sources did not help: the device appeared to be re-infected literally a few minutes after cleaning, and the option“ install apps from unknown sources ”turned out to be active again”, – said the Malwarebytes researchers.
In fact, to remove xHelper, even resetting the device to the factory settings was not enough, and the only available option was a complete flashing of the infected device (which is not always possible).
In 2019, Malwarebytes and Symantec experts were unable to understand how xHelper “survives” after the described actions. There was no Trojan interference in the operation of system applications and services, and Symantec believed that xHelper was unlikely to be preinstalled on devices out of the box, although the malware actually appears more often on devices of specific brands.
Over the past few months, Malwarebytes researchers have continued to study the threat and have now published a new report. Unfortunately, Malwarebytes experts still have not figured out exactly how the malware installs itself on infected devices. However, it was possible to find a new way to remove malware, which does not imply flashing.
Researchers say that xHelper, apparently, somehow exploits the process inside the Google Play Store to initiate reinstallation, and the malware survives resetting to factory settings using special directories that it creates on the device. Malware hides its APK in special directories.
The fact is that, unlike applications, directories and files are saved on the device even after resetting to factory settings. After the reset, the Google Play Store performs some kind of undefined operation (presumably this is some kind of scanning), after which xHelper is reinstalled and reappears in the system.
Now, experts suggest the following scheme for removing xHelper from infected devices.
- Install any file manager from Google Play, which has the ability to search files and directories.
- Temporarily disable Google Play to prevent re-infection (Settings-> Applications -> Google Play Store and click “Disable”).
- Install and run the Malwarebytes Android application to determine the name of the application masked as xHelper. You should search and delete applications whose names contain the words fireway, xhelper and Settings (only if there are two Settings applications).
- Open the file manager and search for anything starting with com.mufc.
- If something is found, write down the date and time of the last change.
- Delete everything that starts with com.mufc and any directories with the same creation time (except for main directories such as Download).
- Re-enable Google Play.