27 September 2023

Sticking around: How an Android malware is proving hard to kill

Start the conversation

Cat Ellis* says security experts have discovered a sneaky Android malware that can reinstall itself even after a factory reset.


Security experts have identified a particularly stubborn strain of Android malware that somehow manages to reinstall on a victim’s device, even after they’ve performed a full factory reset.

The malware, known as xHelper, was first discovered and documented by researchers from security company Malwarebytes in May 2019.

It was identified as a trojan dropper, which installs malicious Android Package Kits (APKs) on your phone without your knowledge or permission.

If you start to see new app and notification icons that you don’t recognise, there’s a chance that your phone has been infected with this type of malware, though it’s not always obvious; malware is often disguised as legitimate system applications, and the icons can be hidden away.

Déjà vu

As Ars Technica reported, Malwarebytes has now published an account from a victim who went to huge lengths to purge her phone of two xHelper variants, including performing a full factory reset.

Each time she managed to remove the malware, it reappeared on her device within an hour.

Malware is a serious problem for Android phones, which typically come with between 100 and 400 apps pre-installed.

If just one of those apps is compromised, devices will be infected before they even find their way into customers’ hands.

The security researchers suspected this might be the issue with xHelper, particularly since the infected phone was from a lesser-known manufacturer, but even removing its pre-installed apps didn’t solve the problem.

Eventually, an exploration of the phone’s system files revealed an APK that installed an xHelper variant on the phone.

Strangely, this seemed to be triggered by something in the Google Play Store app, though Google Play itself was unaffected.

The team managed to remove the malware, but it was unclear how the file came to be on the phone in the first place, or how it survived a factory reset.

* Cat Ellis is downloads and developing tech editor for Tech Radar. She tweets at @CatberryCrumble.

This article first appeared at www.techradar.com.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.