This crazy bit of malware is the best reason to use only Google Play to get your apps

By Jerry Hildenbrand
last updated

Google Play Store
Google Play Store (Image credit: Android Central)

There's a scary bit of malware floating out there in the wild. Known as xHelper, it's not what the malware does once installed that's so bad, but how it keeps itself installed.

First thing's first. This isn't any sort of rampant infection by any measure. Symantec (opens in new tab) and Norton both estimate that there are less than 75,000 cases if it in the wild and when you have 2 billion potential victims that's a very tiny percentage.

It's not the numbers of users affected that's troubling but how it's happening.

It's not one of those bad actors that harvests all your data, either. xHelper seems to spam your notifications and change your browser homepage.

It also doesn't come from any apps in Google Play according to every company that's looked into it. Malwarebytes (opens in new tab) has this to say about it:

The source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.

So far, this sounds like any number of malware episodes that we see far too often. But this is just the regular part of the story. What's so bad about this one is that the malware keeps finding a way to reinstall itself once it's been uninstalled, even if you factory reset your phone.

Play Protect

Source: Android Central (Image credit: Source: Android Central)

There are several different theories about how this could be happening. Maybe the actual vendor's code — all instances of xHelper have been found on Chinese-made phones that don't have a big US presence — is infected is one of them. Others think that Chrome is the culprit, as users say uninstalling Chrome is the only way to keep xHelper from coming back.

There are several ways xHelper could be finding its way onto phones. Google Play is not one of them.

Another idea, and the one that makes the most sense to me, is that app data backups through Google's own service contain whatever is needed for xHelper to find its way back into your phone. To top all this off, it keeps finding ways to bypass any security apps including Google Play Protect as it evolves.

How it finds its way back onto infected phones and the potential harm it can cause are concerning. But this whole mess tells us one thing pretty clearly: unless you know how to make sure an app is clean and safe, stick to Google Play for all of your apps.

Let the pros handle things and you'll have less problems when it comes to malware. Google may do some silly things, but when it comes to security the know what's up.

Jerry Hildenbrand
Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

10 Comments
  • Better yet. Just use a candy bar style Nokia phone or a flip phone from Motorola.
  • Yeah but what about my Samsung pay i use constantly with my pixel 4. During the gear setup it makes you change unknown sources on for the Samsung accessibility service. Is that ok you think?.
  • My BLU phone has unknown sources disabled today, Xhelper still comes, it doesn't use package installer... It is installed by an OEM bundled system app.
  • Actually, on Android Oreo, there is not even an"unknown sources"option anymore, you give permission to each app to install apps, i removed the permission from every single app. This is another proof that xhelper is injected by the Stock ROM from BLU, OEM vendor system apps themselves. This is a vendor trap!! Not users' fault
  • Reason #9996500053 why Epic should've just bit the bullet and distributed Fortnite through the Play Store.
  • Perhaps rare and less risky, but there have been apps on the Google Play Store that were infected and not immediately caught. Yes, still better than stuff in the wild, but it seems nothing is 100% secure.
  • "AI.type" says: you're kidding yourself if you think the Play Store is safe.
  • I'm afraid this has nothing to do with Google Play, as i live Google-less.. it is bundled on low-end phones like my BLU L4 Spreadtrum. I have many flagships too rooted with Magisk, TWRP, updated custom ROMs. But this 2019 Oreo Go phone is OEM-locked, bootloader locked, adb and fastboot commands overwritten, wtf. all my apks are the same on any of my phones. This phone has a system app (probably FACTORY TEST) which always send to an amazon server: working stat, sms stat ,last active... Xhelper is installed by the system silently in the background without displaying Package Installer. Xhelper connects to a hong kong server (i don't like british colonies) to display a gamehub overlay which Android Go Edition often kills to save RAM, lol. Once it sent many UID SMS to my carrier which bought many SMS services which i immediately contacted them to cancel and refund me. Nowadays XHelper is renamed as SERVER app version 2.3.5 on my BLU
  • Even then, you should know what your downloading. I want an app 2 sd app for my samsung tablet. I cannot click on download because I don't know which ones are legit anymore.
  • 1. Use an adblock (rootless: bromite browser, brave browser, or kiwi browser with ublock origin extension, or with root: adaway from f-droid), there will be only one download button. Trust only APKPure or APKMirror 2. Use FOSS (free libre open source software) alternative to Play Store, "aurora store" https://f-droid.org/en/packages/com.aurora.store/ , you can log in with the bundled anonymous account token generator and download directly from Play Store on Google-less phones Again, all my rooted phones are never infected, just this "unroot-able" BLU L4 Oreo Go Edition stock bundled with system apps that download and inject Xhelper without even using the package installer Again, this xhelper case is a Vendor Trap!! Not end users' fault. The xhelper/survey app is injected deployed by the BLU stock ROM's system apps themselves!!