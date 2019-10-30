There's a scary bit of malware floating out there in the wild. Known as xHelper, it's not what the malware does once installed that's so bad, but how it keeps itself installed. First thing's first. This isn't any sort of rampant infection by any measure. Symantec and Norton both estimate that there are less than 75,000 cases if it in the wild and when you have 2 billion potential victims that's a very tiny percentage. It's not the numbers of users affected that's troubling but how it's happeneing. It's not one of those bad actors that harvests all your data, either. xHelper seems to spam your notifications and change your browser homepage. It also doesn't come from any apps in Google Play according to every company that's looked into it. Malwarebytes has this to say about it:

The source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.

So far, this sounds like any number of malware episodes that we see far too often. But this is just the regular part of the story. What's so bad about this one is that the malware keeps finding a way to reinstall itself once it's been uninstalled, even if you factory reset your phone.