The xHelper is a malware for Android which has been circulating for some time. The security company Malwarebytes detected it for the first time in May 2019.
Since then, almost all Android security apps can detect xHelper, which means that Android devices using a trusted software security systems should be protected from this malware.
But as it turns out, cleaning up a device is a lot harder than we thought, as xHelper comes back even after a full reset of the system.
How is that possible; According to Malwarebytes, xHelper does not uses some pre-installed malware in the firmware, but Google Play, which still “serves” it malware after a complete reset of a device or after a successful cleanup with an antivirus program.
"Google Play is not infected with malware. However, something in Google PLAY causes re-infections - maybe something left in storage. In addition, it could use Google Play as a smokescreen, falsifying it as a source of malware installation, when in fact it comes from another site, "says Malwarebytes in a new analysis of malware.
The security company describes in detail a case of infection with xHelper. After a closer look at the files stored on the infected Android device, it was discovered that a Trojan dropper was embedded in an APK located in a directory called com.mufc.umbtts.
Researchers still do not know how Google Play is used to cause the infection.
“Trojan.Dropper.xHelper.VRW does not appear to be installed anywhere on the device. We believe it was installed, run and uninstalled again within seconds to avoid crawling - all from something triggered by Google Play. "The 'how' is still unknown," say Malwarebytes researchers.
To clear the infection, you must first disable the Google Play Store and then run a device scan with an antivirus. Otherwise, the malware will return despite being deleted.