Kaspersky researchers earlier this year detailed a unique Android malware that cannot be removed even after a factory reset. Called xHelper, the trojan baffled cyber-security researchers with its persistence and how it can survive almost all attempts to remove it from the device. While the researchers published a detailed report on the malware’s MO in February, they were still unsure about the secrets behind its persistence. That, however, has changed now, with a different researcher being able to finally unlock its mysteries.
According to Kaspersky researcher, Igor Golovin, the latest strand of the malware, Trojan-Dropper.AndroidOS.Helper.h, disguises itself as a popular cleaner app for smartphones, but after installation, it simply disappears and is nowhere to be seen either on the main screen or in the program menu. It can only be found in the list of installed apps in the system settings.
Once installed, the malware collects and sends personally-identifiable details about the victim’s phone, including Android ID, manufacturer, model, firmware version, etc.) to a third-party website, and then proceeds to download the next malicious module. It keeps downloading one Trojan module after another, including the notorious Triada, which gains root privileges on the infected device and enables the malware to install a series of malicious files directly into the system partition.
The malware largely affects devices running Android 6 Marshmallow and Android 7 Nougat, although it’s not as widespread as earlier believed. Either way, Golovin says that once a device is infected with xHelper, the easiest and most reliable way to get rid of it is to completely reflash the phone, preferably with a different firmware, if available. You can read all the technical details about xHelper on the Kaspersky’s official security blog.