There's finally a way to remove xHelper, the unremovable Android malware

It has taken safety researchers just about ten months to find a dependable approach of cleansing smartphones inflamed with xHelper, a kind of Android malware that, till just lately, has been not possible to take away.

The removing method is described on the finish of this text, however first some context for readers who wish to be informed extra about xHelper.

This actual malware pressure has brought about rather the ache for customers all over the place the arena previously ten months. The malware used to be first noticed again in March 2019, when customers started complaining on more than a few web boards about an app they were not ready to take away, even after manufacturing unit resets.

Those apps had been answerable for perstering customers with intrusive popup advertisements and notification junk mail. Not anything in reality malicious, however nonetheless very stressful.

Because the yr advanced, xHelper campaigns expanded the malware’s achieve, infecting increasingly more units. In keeping with a Malwarebytes record, there have been round 32,000 inflamed units via August, a host that later reached 45,000 via past due October, when Symantec researchers additionally printed their very own record at the risk.

In keeping with researchers, the supply of those infections used to be “internet redirects” that despatched customers to internet pages web hosting Android apps. The websites advised customers on how one can side-load unofficial Android apps from out of doors the Play Retailer. Code hidden in those apps ultimately downloaded and put in the xHelper trojan.

However whilst finding its supply, achieve, and level of an infection used to be simple, what confounded safety researchers remaining yr used to be that they could not take away the malware from a tool via conventional strategies, equivalent to uninstall the unique xHelper app or via a manufacturing unit reset.

Each time a consumer would manufacturing unit reset the software, the malware would merely pop up a couple of hours later, reinstalling itself without a consumer interplay.


Symbol: ZDNet

The one means to take away xHelper used to be to accomplish a complete software reflash via reinstalling all of the Android working gadget, an answer that used to be no longer imaginable for all inflamed customers, a lot of whom did not have get admission to to the proper Android OS firmware photographs to accomplish a reflash.

Some clues emerge

Since coming around the malware remaining yr, safety researchers from Malwarebytes have endured to seem into the risk.

In a weblog submit lately, the Malwarebytes workforce say that whilst they nonetheless have not discovered precisely how the malware reinstalls itself, they did uncover sufficient details about its modus operandi so as to take away it for excellent and save you xHelper from reinstalling itself after manufacturing unit resets.

The Malwarebytes workforce says that xHelper has it appears discovered some way to make use of a procedure throughout the Google Play Retailer app so as to cause the re-install operation.

With assistance from particular directories it had created at the software, xHelper used to be hiding its APK on disk to live on manufacturing unit resets.

“In contrast to apps, directories and recordsdata stay at the Android cellular software even after a manufacturing unit reset,” says Nathan Collier, Senior Malware Intelligence Analyst at Malwarebytes.

Collier believes that after the Google Play Retailer app carried out some yet-to-be-determined operation (supposedly some more or less scan), it reinstalled itself.

Removing directions

Collier has now put in combination a sequence of steps that customers can observe to take away the xHelper malware from units and save you it from reinstalling itself.

Of observe, those directions depend on customers putting in the Malwarebytes for Android app, however this app is unfastened to make use of, so it should not be any factor for customers.

Step 1: Set up a document supervisor from Google Play that has the potential to go looking recordsdata and directories. (ex: Amelia used Report Supervisor via ASTRO).

Step 2: Disable Google PLAY briefly to prevent re-infection.

  • Pass to Settings > Apps > Google Play Retailer
  • Press Disable button

Step three: Run a scan in Malwarebytes for Android to spot the nameof the app that hides the xHelper malware. Manually uninstalling may also be tricky, however the names to search for within the Android OS Apps data segment are fireway, xhelper, and Settings (best if two settings apps are displayed).

Step four: Open the document supervisor and seek for the rest in garage beginning with com.mufc.

Step five: If discovered, make an observation of the remaining changed date.

  • Kind via date in document supervisor
  • In Report Supervisor via ASTRO, you’ll type via date beneath View Settings.

Step 6: Delete the rest beginning with com.mufc. and the rest with identical date (apart from core directories like Obtain):


Symbol: Malwarebytes

Step 7: Re-enable Google PLAY

  • Pass to Settings > Apps > Google Play Retailer

Leave a Reply

Your email address will not be published. Required fields are marked *