xHelper 'Unkillable' Malware Survives Factory Reset, Still Infecting Android Phones

android malware
We've discussed the rather nasty xHelper malware on a number of occasions here at HotHardware, and it's a rather insidious trojan. XHelper first started making the rounds via the Google Play Store roughly a year ago, and by October 2019, over 45,000 Android devices had fallen victim to its tainted tentacles. As of now, that number has surpassed 50,000.

The folks over at Kaspersky have performed a rather thorough analysis of xHelper, which manifests itself in Trojan-Dropper.AndroidOS.Helper.h and is typically distributed via apps that claim to clean your smartphone or boost its performance. However, once the payload is downloaded, decrypted, installed, and then launched on a device, it then downloads another piece of malware called Trojan-Downloader.AndroidOS.Leech.p.

But it doesn't stop there, Leech.p then proceeds to download HEUR:Trojan.AndroidOS.Triada.dd, which then allows root access to the device. If there's any consolation, Kaspersky notes that root access is only possible on some cheap Chinese phones running Android 6 or Android 7. With root access, it installs even more malware to the system partition. It then classifies itself as immutable so that it can no longer be deleted, making it hard for antivirus programs to properly take care of the infection.


"Armed with root rights, the Trojan remounts it in write mode and proceeds to the main job of starting the tellingly named script forever.sh, writes Kaspersky's Igor Golovin. "Triada employs its best-known tricks, including remounting the system partition to install its programs there."

This is part of the reason why xHelper is considered to be "unkillable", as it manages to incorporate escalated privileges with the ability to re-download necessary components from its C&C server even when some of its files are deleted. And this infection can even persist after a device has been factory reset. 

Further compounding the issue is that many of these cheap Android devices come from the factory with malware installed in the firmware, which will then proceed to download xHelper and other offending trojans. In these cases, Golovin points out that a factory reset is often pointless, and that one of the only sure-fire ways to rid your device of the infection is to use an alternative firmware, although he notes that "some of the device's components might not operate properly."

In the end, it's best to remain vigilant when installing software on Android devices (or any device for that matter). Although the Google Play Store has had its share of malware problems, downloading apps from third-party apps stores or "untrusted sources" puts you at even greater risk to infections.