XHelper is a malware for Android that has been around for a while. Security company Malwarebytes first detected it in May 2019.
Since then, almost all Android security apps can detect xHelper, which means that the Appliances με Android που χρησιμοποιούν κάποιο αξιόπιστο λογισμικό ασφαλείας θα πρέπει να προστατεύονται από αυτό το malware.
But as it turns out, cleaning a device is much harder than we thought, as xHelper comes back even after a full system reset.
How is that possible; According to Malwarebytes, xHelper does not use any pre-installed malware on the firmware, but Google Play, which still “serves” it malware after a complete reset of a device or after a successful cleanup with an antivirus program.
“Google Play is not infected with malicious proletterthe. However, something in Google PLAY is causing re-infections – perhaps something left on storage. Additionally, doing so could use Google Play as a smokescreen, misrepresenting it as a source of malware installation, when it is actually coming from another site," Malwarebytes says in a new analysis of malware.
The security company describes in detail a case of infection with xHelper. After a closer look at the files stored on the infected Android device, it was discovered that a Trojan dropper was embedded in an APK located in a directory called com.mufc.umbtts.
Researchers still do not know how Google Play is used to cause the infection.
“Πουθενά στη συσκευή δεν φαίνεται να έχει εγκατασταθεί το Trojan.Dropper.xHelper.VRW. Πιστεύουμε ότι εγκαταστάθηκε, έτρεξε και απεγκαταστάθηκε ξανά μέσα σε λίγα seconds για να αποφευχθεί η ανίχνευση-όλα αυτά από κάτι που ενεργοποιήθηκε από το Google Play. Το “πώς” είναι ακόμα άγνωστο”, αναφέρουν οι ερευνητές της Malwarebytes.
To clear the infection, you must first disable the Google Play Store and then run a device scan with an antivirus. Otherwise, the malware will return despite being deleted.