Making Xhelper a more significant threat is the fact that the app itself downloads other threats along with displaying ads. Currently, Xhelper is targeting users in India, the United States, and Russia. Symantec says that Xhelper is part of a surge in apps that can hide from users, download additional malicious apps, and display ads.
Frustrating users even more is the fact that Xhelper is persistent and can reinstall itself after the user uninstalls it, and is designed to stay hidden without being seen in the system launcher. The app has no regular user interface and stays out of the launcher since it is an application component. The software launches when the device is connected or disconnected from a power supply, the device is rebooted, or when an app is installed or uninstalled.
The malware registers itself as a foreground service when launched to help prevent it from being closed if memory is low. Once on the victim's device, Xhelper starts to execute its core malicious functionality by decrypting the malicious payload in its package. That package then contacts the C&C server and awaits commands. Symantec says that the malware on the C&C server is thought to be "vast and varied," giving multiple attack options, including data theft or a takeover of the device.
Xhelper first surfaced in March 2019 and was relatively simple at the time with a main purpose of getting victims to visit advertisement pages for monetization purposes. There are indicators that the malware intends to target users on Jio in the future. Jio is the largest 4G network in India, with over 300 million subscribers. Malware is a massive problem on Google Play; earlier this month, 172 malicious Android apps were discovered with over 300 million combined installs.