Somewhere near the mid-point of 2019, we started seeing mass attacks by the xHelper Trojan on Android smartphones. The malware remains as active as ever even today. Its main feature is invading your device and staying hidden. Once it gets into your phone, it somehow stays there even after the user deletes the malware and restores factory settings. Also Read - Coronavirus: Fake malware-laced apps and why they are so dangerous?
A recently conducted survey tried to determine how xHelper’s creators furnished the device with such survivability. The malware’s working is reportedly based on the currently active sample Trojan-Dropper.AndroidOS.Helper.h. Disguising itself as a popular cleaning and speed up the app, the app simply disappears on installation and is nowhere to be seen. Also Read - Coronavirus: Hackers are using the pandemic to spread malware online: Report
Watch: Realme 6 Pro Camera Review
Once at this stage, you will not even be able to find the app on the main screen or the system settings. Its main function is to remain hidden and send the phone’s information to another URL. This information includes stuff like your phone’s manufacturer, model, firmware version and more. Also Read - This malware affects 4,700 Windows-based computers every day
In the next stage, the second dropper, Trojan-Dropper.AndroidOS.Helper.b, is launched. This consequentially runs another malware by the name Trojan-Downloader.AndroidOS.Leech.p which will again, infect your device. The new malware is tasked with downloading yet another old HEUR:Trojan.AndroidOS.Triada.dd along with obtaining root access on the victim’s device. Once this is attained, xHelper can install new malicious files directly in the system partition. This can cause a lot more damage.
How to get rid of it?
There are very complicated methods to achieve this. However, the simplest and most reliable method is to completely reflash the phone. Reflashing is different from your average reset. It involves clearing partitions that otherwise remain untouched.
But users should keep in mind that the firmware of smartphones attacked by xHelper sometimes already has malware. This may allow the independent flowing of downloads and installs on your phone. In this case, a reflash is pretty much useless since the same procedure could start again. The only way out is to consider alternative firmware for your device. If you do use a different firmware though, you risk losing function on some of the smartphone’s components.