A nearly impossible to remove Android malware has infected 45,000 devices

Android malware on a Sony smartphone
Android malware on a Sony smartphone (Image credit: Android Central)

What you need to know

  • The app has infected over 45,000 devices in the last six months, says Symantec.
  • The malware has, so far, only carried out relatively benign activities such as showing pop-up ads and unwanted notifications.
  • The most notable thing about xHelper is its persistence. Even factory resets are no match against it.

A new security threat has been making mobile security researchers scratch their collective heads for the past few months. It's called xHelper, and this is one app that just can't take a hint.

Only about seven months old, the malware had already reached MalwareBytes' top 10 list of malware by August. Symantec (opens in new tab), on the other hand, says it has detected at least 45,000 infections by the app thus far, with more every day. Security researchers say the app is being distributed via websites that encourage users to sideload apps onto their device. These apps then install the xHelper trojan onto the device.

After installation, the app then proceeds to spam the device with notifications and pop-up ads. Both Symantec and Malwarebytes (opens in new tab) note that the app's nefarious activities are seemingly only limited to these prompts encouraging you to download other apps or play online games. That is likely the primary source of revenue for the group behind the app, as each click or install earns them a tiny bit of money.

What's far more interesting is the care that's taken in ensuring the app cannot be removed from the device. Not only does the app prefer to operate silently from the shadows, but it also jumps through various hoops and uses encryption to mask its installation. Detection is the first step in combating malware and the ingeniously crafted malware is meticulous about hiding both its installation and its existence from the user.

xHelper notifications

Source: Malwarebytes (Image credit: Source: Malwarebytes)

Malwarebytes suggests the app comes in two variants: semi-stealth and full-stealth. In both configurations, the app does not create an app icon or a shortcut icon in order to ensure users do not notice the app's presence on their device. This also prevents them from easily uninstalling the nasty piece of work from their devices; after all, if there's no app icon on your launcher, how can you drag it to the uninstall button? The only way an average smartphone user would even notice its presence is thanks to the xHelper notification icon that these ad notifications are accompanied by in the app's semi-stealth variant. The full-stealth configuration doesn't even have that.

Lacking a launcher icon, xHelper is designed to automatically begin running as a foreground service based on various triggers, such as when the device is booted or the power is connected/disconnected. Once that's done, even if you uninstall the app that xHelper came with, the malware will continue to reside on your device.

Planning on manually stopping the service? xHelper will restart it to ensure it keeps pushing ads at you. You've removed the service altogether? xHelper will magically reappear on your phone. Are you finally enraged enough to consider nuking your phone with a factory reset? Don't bother, because xHelper will inexplicably come back. And that's the most dangerous thing about xHelper: its persistence in always being there to 'help' you to a serving of ads and spam whether you want it or not. Researchers at Symantec have so far been unable to decipher the mechanism through which the app is able to resurrect itself from the dead even after a factory reset.

In the interest of keeping your device as safe as possible, it's always a good idea to not sideload apps outside the Play Store. Also, be very careful about pages that redirect you to other websites and never click on anything if you have been redirected to an unknown site.

While the app has so far stuck to the mostly 'benign' realm of serving unwanted ads, Symantec's researchers note that the service also establishes connections to a remote server for the purpose of receiving commands. This could easily allow the malware to go from an unwanted nuisance to a significant security threat capable of installing other malicious applications on the device or even hijacking the phone entirely. That capability, combined with its legendary persistence, makes xHelper one terrific threat in the mobile realm.

Best antivirus apps for Android in 2019

Muhammad Jarir Kanji
32 Comments
  • "In the interest of keeping your device as safe as possible, it's always a good idea to not sideload apps outside the Play Store. Also, be very careful about pages that redirect you to other websites and never click on anything if you have been redirected to an unknown site." Hmmm from time to time I sideload apps! Usually because they are unavailable to me because of region restrictions. However I never click on any of the numerous random and obtrusive adverts that this site serves up on every click.
    Seriously are you taking the piss
  • I'm afraid this has nothing to do with sideloading, I'm sure it is bundled on low-end phones like my BLU L4 Spreadtrum. I have many unaffected flagships rooted with Magisk, TWRP, updated custom ROMs. But this 2019 Oreo Go phone is OEM-locked, bootloader locked, adb and fastboot commands overwritten, wtf. all my apks are the same on any of my phones. This phone has a system app (probably FACTORY TEST) which always send to an amazon server: working stat, sms stat ,last active... Xhelper is installed by the system silently in the background without displaying Package Installer. Xhelper connects to a hong kong server (i don't like british colonies) to display a gamehub overlay which Android Go Edition often kills to save RAM, lol. Once it sent many UID SMS to my carrier which bought many SMS services which i immediately contacted them to cancel and refund me. Nowadays XHelper is renamed as SERVER app version 2.3.5 on my BLU
  • Thank you very much for this article.
  • This article sounds... fake? Alarmist? Unrealistic? For example, if factory resets don't work then I should just throw all these phones in the garbage.
  • I have personally seen this malware on a cheap earn tecno phone
  • I'm afraid this is true. I already wiped my phone dozens of times, now empty. I'm sure it is bundled on low-end phones like my BLU L4 Spreadtrum. I have many unaffected flagships rooted with Magisk, TWRP, updated custom ROMs. But this 2019 Oreo Go phone is OEM-locked, bootloader locked, adb and fastboot commands overwritten, wtf. all my apks are the same on any of my phones. This phone has a system app (probably FACTORY TEST) which always send to an amazon server: working stat, sms stat ,last active... Xhelper is installed by the system silently in the background without displaying Package Installer. Xhelper connects to a hong kong server (i don't like british colonies) to display a gamehub overlay which Android Go Edition often kills to save RAM, lol. Once it sent many UID SMS to my carrier which bought many SMS services which i immediately contacted them to cancel and refund me. Nowadays XHelper is renamed as SERVER app version 2.3.5 on my BLU
  • yep, bundled in the os is what I'm thinking too.
  • I use a Pixel 4 XL , the most secure Android phone on the planet.
  • Hahaha good joke
  • Maybe the user is going right back to the source in question after factory resetting the device.... Maybe naughty 3rd party apps and or sites?
  • The analysts at Symantec are going back to the naughty 3rd party apps and/or sites after factory resetting the test devices and then publishing their research findings? That makes sense.
  • I'm afraid this has nothing to do with sideloading, I'm sure it is bundled on low-end phones like my BLU L4 Spreadtrum. I have many unaffected flagships rooted with Magisk, TWRP, updated custom ROMs. But this 2019 Oreo Go phone is OEM-locked, bootloader locked, adb and fastboot commands overwritten, wtf. all my apks are the same on any of my phones. This phone has a system app (probably FACTORY TEST) which always send to an amazon server: working stat, sms stat ,last active... Xhelper is installed by the system silently in the background without displaying Package Installer. Xhelper connects to a hong kong server (i don't like british colonies) to display a gamehub overlay which Android Go Edition often kills to save RAM, lol. Once it sent many UID SMS to my carrier which bought many SMS services which i immediately contacted them to cancel and refund me. Nowadays XHelper is renamed as SERVER app version 2.3.5 on my BLU
  • Probably some evil genius has found a way to make some code masquerade as a firmware update. And like os updates and security patches it doesn't get erased during a reset.
  • I'm afraid I'm sure it is bundled on low-end phones like my BLU L4 Spreadtrum. I have many unaffected flagships rooted with Magisk, TWRP, updated custom ROMs. But this 2019 Oreo Go phone is OEM-locked, bootloader locked, adb and fastboot commands overwritten, wtf. all my apks are the same on any of my phones. This phone has a system app (probably FACTORY TEST) which always send to an amazon server: working stat, sms stat ,last active... Xhelper is installed by the system silently in the background without displaying Package Installer. Xhelper connects to a hong kong server (i don't like british colonies) to display a gamehub overlay which Android Go Edition often kills to save RAM, lol. Once it sent many UID SMS to my carrier which bought many SMS services which i immediately contacted them to cancel and refund me. Nowadays XHelper is renamed as SERVER app version 2.3.5 on my BLU
  • Go after the companies who are paying this app for ads and charge them with "something".. Just for being part of this (even though they'll say they didn't know) . And then go after the app/virus makers.
  • I'm afraid this is very true, I'm sure it is bundled on low-end phones like my BLU L4 Spreadtrum. I have many unaffected flagships rooted with Magisk, TWRP, updated custom ROMs. But this 2019 Oreo Go phone is OEM-locked, bootloader locked, adb and fastboot commands overwritten, wtf. all my apks are the same on any of my phones. This phone has a system app (probably FACTORY TEST) which always send to an amazon server: working stat, sms stat ,last active... Xhelper is installed by the system silently in the background without displaying Package Installer. Xhelper connects to a hong kong server (i don't like british colonies) to display a gamehub overlay which Android Go Edition often kills to save RAM, lol. Once it sent many UID SMS to my carrier which bought many SMS services which i immediately contacted them to cancel and refund me. Nowadays XHelper is renamed as SERVER app version 2.3.5 on my BLU
  • Is there a deeper reset that manufacturers do when they refurbish old phones? Could refurbs come with this?
  • I assume by factory reset, they mean going into settings > system > reset and performing the factory reset there. I'm certain that a complete wipe of the device with fastboot -w then flashing the factory image for a device would be able to get rid of this malware.
  • So go all tabula rasa on its ass. Probably work but not practical for the average person. Time for a new phone😃
  • I'm afraid this has nothing to do, I'm sure it is bundled on low-end phones like my BLU L4 Spreadtrum. I have many unaffected flagships rooted with Magisk, TWRP, updated custom ROMs. But this 2019 Oreo Go phone is OEM-locked, bootloader locked, adb and fastboot commands overwritten, wtf. all my apks are the same on any of my phones. This phone has a system app (probably FACTORY TEST) which always send to an amazon server: working stat, sms stat ,last active... Xhelper is installed by the system silently in the background without displaying Package Installer. Xhelper connects to a hong kong server (i don't like british colonies) to display a gamehub overlay which Android Go Edition often kills to save RAM, lol. Once it sent many UID SMS to my carrier which bought many SMS services which i immediately contacted them to cancel and refund me. Nowadays XHelper is renamed as SERVER app version 2.3.5 on my BLU
  • "fastboot format userdata" in fastboot and rid yourselves of this virus... Of course have factory images to flash afterwards. ;)
  • I feel exactly zero pity. I'm sorry. Go to a shady site to download an app outside of the official store? They're most likely pirating the apps because they didn't want to pay for them. You roll the dice, sometimes you lose. Oops
  • It's not just people "pirating apps" it's people trying to get apps that they can't buy in their local app store, and apps that are not on the Google app store. But sure, just come at this with the ignorant opinion of " they're all pirates, who cares"....really speaks to your character...not.
  • Just so I understand your comment. You are in a region that doesn't have access to the Google Play Store, and you need to use a different store for downloading apps? Or you just choose not to use the Play Store?
  • I'm afraid this has nothing to do with sideloading, I'm sure it is bundled on low-end phones like my BLU L4 Spreadtrum. I have many unaffected flagships rooted with Magisk, TWRP, updated custom ROMs. But this 2019 Oreo Go phone is OEM-locked, bootloader locked, adb and fastboot commands overwritten, wtf. all my apks are the same on any of my phones. This phone has a system app (probably FACTORY TEST) which always send to an amazon server: working stat, sms stat ,last active... Xhelper is installed by the system silently in the background without displaying Package Installer. Xhelper connects to a hong kong server (i don't like british colonies) to display a gamehub overlay which Android Go Edition often kills to save RAM, lol. Once it sent many UID SMS to my carrier which bought many SMS services which i immediately contacted them to cancel and refund me. Nowadays XHelper is renamed as SERVER app version 2.3.5 on my BLU
  • Aww, it can be eradicated if your bootloader's unlocked. Just chuck the stock rom, put custom rom on.
  • I saw an article yesterday that said it was "completely unremovable* so, which is it? Is it impossible to remove? Or nearly impossible?....because the article I read said that people tried everything, to no avail. This is what I hate about internet news media. One source says A and another says B. And the reader is left not knowing what the truth is
  • Yeah, it would be nice if somewhere it mentions what does work if it is "nearly" impossible. It is implying that something can be done about it.
  • You could wipe everything (including the system partition) and then flash the stock system image, if it's possible on the phone in question
  • I'm afraid I'm sure it is stock bundled on low-end phones like my BLU L4 Spreadtrum. I have many unaffected flagships rooted with Magisk, TWRP, updated custom ROMs. But this 2019 Oreo Go phone is OEM-locked, bootloader locked, adb and fastboot commands overwritten, wtf. all my apks are the same on any of my phones. This phone has a system app (probably FACTORY TEST) which always send to an amazon server: working stat, sms stat ,last active... Xhelper is installed by the system silently in the background without displaying Package Installer. Xhelper connects to a hong kong server (i don't like british colonies) to display a gamehub overlay which Android Go Edition often kills to save RAM, lol. Once it sent many UID SMS to my carrier which bought many SMS services which i immediately contacted them to cancel and refund me. Nowadays XHelper is renamed as SERVER app version 2.3.5 on my BLU
  • It's extremely difficult to take this article seriously for a number of reasons, seems like an antimalware vendor puff piece.
    Extremely difficult to remove? You say all the ways that don't work but not a single way that does work! You say there's no launcher icon etc - well there's nothing new about that. Is it in the actual settings ->app list? If yes then is easy to remove and this isn't new. If no, then this isn't simply an app and it can only achieve this by exploiting a security vulnerability in Android. And that's the critical information here that is not mentioned at all!!! If it's exploiting a bug, is it achieving privilege escalation? If so, what is it exploiting and which versions of Android are vulnerable. This is so basic I cannot believe it wasn't including in the article - the notion that a security "researcher" has been looking at this for 6+ months but hasn't determined that yet is complete garbage.
    As for surviving a factory reset, this is extremely suspect to say the least. But again to not understand *how* after 6 months beggars belief. This **** isn't black magic! Ultimately they are just files - it's not hard to test an infected device, reset it and then look at what files are there, even over adb in recovery mode. It would take 15 mins to find any file that was out of place and you'd have your answer. But in any case, there's no way it can survive a reset without achieving full root permissions, and again that would be easy to detect and obvious to report in this article. Instead some nonsense explanation about "encryption" being used, which makes no sense and explains nothing, is given.
    You've been "had" by Symantec! I'm only surprised that they didn't get you to say "almost impossible, except if you install Symantec"
  • I'm afraid this is true, I'm sure it is bundled on low-end phones like my BLU L4 Spreadtrum. I have many unaffected flagships rooted with Magisk, TWRP, updated custom ROMs. But this 2019 Oreo Go phone is OEM-locked, bootloader locked, adb and fastboot commands overwritten, wtf. all my apks are the same on any of my phones. This phone has a system app (probably FACTORY TEST) which always send to an amazon server: working stat, sms stat ,last active... Xhelper is installed by the system silently in the background without displaying Package Installer. Xhelper connects to a hong kong server (i don't like british colonies) to display a gamehub overlay which Android Go Edition often kills to save RAM, lol. Once it sent many UID SMS to my carrier which bought many SMS services which i immediately contacted them to cancel and refund me. Nowadays XHelper is renamed as SERVER app version 2.3.5 on my BLU