XHelper is a malware for Android that has been around for a while. Security company Malwarebytes first detected it in May 2019.
Since then, almost all the applications Android security software can detect xHelper, which means that Android devices using a trusted software security systems should be protected from this malware.
But as it turns out, cleaning a device is much harder than we thought, as xHelper comes back even after a full system reset.
How is that possible; According to Malwarebytes, xHelper does not use any pre-installed malware on the firmware, but Google Play, which still "serves" the malware after a complete reset of a device or after a successful cleanup with an antivirus program.
“Google Play is not infected with malware. However, something in Google PLAY is causing re-infections – maybe something left on storage. Additionally, doing so could use Google Play as a smokescreen, misrepresenting it as a source installationof malware, when it actually comes from another site," Malwarebytes says in a new analysis of malware.
The security company details a case contaminations with xHelper. After a closer examination of the files stored on the infected Android device, it was discovered that a Trojan dropper was embedded in an APK located in a directory called com.mufc.umbtts.
Researchers still do not know how Google Play is used to cause the infection.
“Trojan.Dropper.xHelper.VRW does not appear to be installed anywhere on the device. We believe it was installed, run and uninstalled again within seconds to avoid crawling - all from something triggered by Google Play. "The 'how' is still unknown," say Malwarebytes researchers.
To clean the infection, you should first disable Google Play Store and then run a device scan with an antivirus. Otherwise, the malware will return despite being deleted.