The xHelper malware made headlines back in October 2019 when it infected nearly 45 000 phones; not even a factory reset could remove the malware from an Android device.
After months of research, a security researcher at Kaspersky, Igor Golovin, explains why the xHelper malware and matryoshka trojanware is “unkillable”.
The malware reportedly “disguises itself as a popular cleaner and speed-up app for smartphones”. Golovin adds:
“But in reality, there is nothing useful about it. After installation, the ‘cleaner’ simply disappears and is nowhere to be seen either on the main screen or in the program menu. You can see it only by inspecting the list of installed apps in the system settings.
What does the malware do?
According to Golovin, the trojan core is encrypted in a file titled /assets/firehelper.jar. Its main task is to send information from the victim’s Android phone to https://lp.cooktracking.v1/ls/get.
The information includes Android ID, device manufacturer details, including the model and firmware version. In addition, the “cleaner app” also installs a malicious module called Trojan-Dropper.AndroidOS.Agent.Of.
Golovin explains that “this malware, in turn, decrypts and launches its payload using a bundled native library; this approach makes it difficult to analyse the module”.
Following that, the next dropper, Trojan-Dropper.AndroidOS.Helper.b, is decrypted and launched to further infect the device. A nasty piece of malware indeed.
Golovin explains how the malicious files are stored on an Android device and provides detailed information on how the trojan software changes the permission of a device.
In short, the malware installs a backdoor which provides hackers with the ability to override you, the owner of the phone. Hackers will have full access to all app and firmware data.
Are you at risk?
Scary as this trojan may sound, it seems to only affect older Android devices running on Android 6 (Marshmallow) or Android 7, (Nougat), which get their apps from sources other than the official Google Play store.
So, if you’re using a fairly recent Android device and haven’t tampered with the app settings – that is, you don’t accept app downloads from unknown sources – you should be fine.
How to remove xHelper malware?
One cannot simply delete the xHelper malware as it installs a file in the system partition which would re-install the malware immediately. Golovin advises:
“If you have Recovery mode set up on your Android smartphone, you can try to extract the libc.so file from the original firmware and replace the infected one with it, before removing all malware from the system partition.”
He adds that it is also “simpler and more reliable to completely reflash the phone”. Reflashing a phone means overwriting one of the device’s partitions to replace the software or install new software.
In most cases, this is done to remove the device’s pre-installed ‘bloatware’. If you need to Google “how to reflash your phone,” you should probably not be reflashing your phone. Furthermore, Golovin adds:
“Bear in mind too that the firmware of smartphones attacked by xHelper sometimes contains pre-installed malware that independently downloads and installs programs (including xHelper). In this case, reflashing is pointless, so it would be worth considering alternative firmwares for your device.”
Another possible solution
While it may seem pointless at this stage, Nathan Collier, a senior malware intelligence analyst, claims that the free Malwarebytes for Android app is capable of removing the trojan. He suggests:
- Install a file manager (such as Malware Bytes or File Manager by ASTRO) from Google PLAY that has the capability to search files and directories.
- Disable Google PLAY temporarily to stop re-infection.
- Go to Settings > Apps > Google Play Store
- Press Disable button
- Run a scan in Malwarebytes for Android to remove xHelper and other malware.
- Manually uninstalling can be difficult, but the names to look for in Apps info are fireway, xhelper, and Settings (only if two settings apps are displayed).
- Open the file manager and search for anything in storage starting with com.mufc.
- If found, make a note of the last modified date.
- Pro tip: Sort by date in file manager
- In File Manager by ASTRO, you can sort by date under View Settings
- Delete anything starting with com.mufc. and anything with same date (except core directories like Download):
- Re-enable Google PLAY
- Go to Settings > Apps > Google Play Store
- Press Enable button