It has taken security researchers nearly ten months to discover a reliable method of cleaning smartphones infected with xHelper, a type of Android malware that, until recently, has been impossible to remove.
The removal technique is described at the end of this article, but first some context for readers who want to learn more about xHelper.
This particular malware strain has caused quite the pain for users all over the world in the past ten months. The malware was first spotted back in March 2019, when users began complaining on various internet forums about an app they weren't able to remove, even after factory resets.
These apps were responsible for perstering users with intrusive popup ads and notification spam. Nothing really malicious, but still very annoying.
As the year progressed, xHelper campaigns expanded the malware's reach, infecting more and more devices. According to a Malwarebytes report, there were around 32,000 infected devices by August, a number that later reached 45,000 by late October, when Symantec researchers also published their own report on the threat.
According to researchers, the source of these infections was "web redirects" that sent users to web pages hosting Android apps. The sites instructed users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps eventually downloaded and installed the xHelper trojan.
But while discovering its source, reach, and point of infection was easy, what confounded security researchers last year was that they couldn't remove the malware from a device by traditional methods, such as uninstall the original xHelper app or by a factory reset.
Every time a user would factory reset the device, the malware would simply pop up a few hours later, reinstalling itself with no user interaction.
The only way to remove xHelper was to perform a full device reflash by reinstalling the entire Android operating system, a solution that was not possible for all infected users, many of whom didn't have access to the correct Android OS firmware images to perform a reflash.
Some clues emerge
Since coming across the malware last year, security researchers from Malwarebytes have continued to look into the threat.
In a blog post today, the Malwarebytes team say that while they still haven't figured out exactly how the malware reinstalls itself, they did discover enough information about its modus operandi in order to remove it for good and prevent xHelper from reinstalling itself after factory resets.
The Malwarebytes team says that xHelper has apparently found a way to use a process inside the Google Play Store app in order to trigger the re-install operation.
With the aid of special directories it had created on the device, xHelper was hiding its APK on disk to survive factory resets.
"Unlike apps, directories and files remain on the Android mobile device even after a factory reset," says Nathan Collier, Senior Malware Intelligence Analyst at Malwarebytes.
Collier believes that once the Google Play Store app performed some yet-to-be-determined operation (supposedly some kind of scan), it reinstalled itself.
Collier has now put together a series of steps that users can follow to remove the xHelper malware from devices and prevent it from reinstalling itself.
Of note, these instructions rely on users installing the Malwarebytes for Android app, but this app is free to use, so it shouldn't be any issue for users.
Step 1: Install a file manager from Google Play that has the capability to search files and directories. (ex: Amelia used File Manager by ASTRO).
Step 2: Disable Google PLAY temporarily to stop re-infection.
Go to Settings > Apps > Google Play Store
Press Disable button
Step 3: Run a scan in Malwarebytes for Android to identify the nameof the app that hides the xHelper malware. Manually uninstalling can be difficult, but the names to look for in the Android OS Apps info section are fireway, xhelper, and Settings (only if two settings apps are displayed).
Step 4: Open the file manager and search for anything in storage starting with com.mufc.
Step 5: If found, make a note of the last modified date.
Sort by date in file manager
In File Manager by ASTRO, you can sort by date under View Settings.
Step 6: Delete anything starting with com.mufc. and anything with same date (except core directories like Download):