The pile of Android threats to watch out for has been mounting at a pretty rapid clip so far this year, with apps sneaking into the Google Play Store that can do everything from log in to your Google and Facebook accounts, access key features of your device, spread malware and so much more. Google, of course, kicks these apps out of its store as soon as they’re found, which we note each time this occurs — though each instance is also one more reminder of just how much of a minefield the threat landscape remains. Meanwhile, as if all that weren’t enough, the security firm Malwarebytes is calling attention to what may be one of the nastiest Android infections yet — a piece of malware that’s actually been circulating for a while now that can reinfect a device after almost every defense has been thrown at it, including a factory reset.
Back in August, this particular malware strain, called xHelper, had already been detected by Malwarebytes’ antivirus app on some 33,000 mostly US devices. That eventually put a target on the malware, by researchers who regarded it as a major Android threat on the basis of those numbers alone. xHelper is essentially a so-called trojan dropper, installing malicious APKs on a device that can, in turn, be used to install a variety of malicious apps.
What makes this one such a tough threat is that it can apparently survive factory resets, which return the device to its original state. Researchers at Symantec also noticed this back in October, writing about how they’d “observed a surge in detections for a malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements. The app, called xHelper, is persistent. It is able reinstall itself after users uninstall it and is designed to stay hidden by not appearing on the system’s launcher.” The Symantec researchers went on to note that, by their tally, it had already infected more than 45,000 devices over the previous six months, and that many users were complaining about random pop-up ads and how the malware keeps showing up even after they’ve manually uninstalled it.
Per Symantec, once xHelper connects to its command and control server, other payloads like rootkits might be downloaded to the compromised device. It’s believed that malware from xHelper’s server can actually perform a variety of functions, “giving the attacker multiple options, including data theft or even complete takeover of the device.”
This all came back to light this week, when Malwarebytes published a report detailing how one device owner kept removing the malware only to see it return to her device inside of an hour. The source of this malware is still being investigated by researchers — but, in the meantime, device owners can keep their gadgets safe by making sure their software stays updated, avoiding unfamiliar and untrustworthy sites when downloading apps, frequently backing up data, installing a strong security app, and being aware of permissions requested by apps.