Security experts are warning Android users about a particularly nasty strain of malware that's almost impossible to remove.

Researcher Igor Golovin from Kaspersky has written a blog post explaining how the xHelper malware uses a system of nested programs, not unlike a Russian matryoshka doll, that makes it incredibly stubborn.

The xHelper malware was first discovered last year, but Golovin has only now established exactly how it gets its claws so deeply into your device, and reappears even after a system restore.

Although the Google Play Store isn't foolproof, unofficial third party app stores are much more likely to harbor malicious apps. App-screening service Google Play Protect blocked more than 1.9 million malware-laced app installs last year, including many side-loaded or installed from unofficial sources, but it's not foolproof.

xHelper is often distributed through third-party stores disguised as a popular cleanup or maintenance app to boost your phone's performance, and once there, is amazingly stubborn.

In too deep

When the malware is first installed, it downloads a 'dropper' trojan, which collects information on your device and installs another trojan. This then downloads exploit code that gives it root access to your device, where it can cause whatever mayhem its creators see fit.

Removing the infection is extremely difficult. All these downloads are hidden deep in the system files, making them hard to find, and the dropper that's installed in the system partition can start the process all over again even after a factory reset.

Golovin advises reflashing the phone, but warns that sometimes the factory-installed firmware might contain xHelper, in which case there's very little you can do. "If you do use a different firmware, remember that some of the device’s components might not operate properly," he advises.

"In any event, using a smartphone infected with xHelper is extremely dangerous. The malware installs a backdoor with the ability to execute commands as a superuser. It provides the attackers with full access to all app data and can be used by other malware too, for example, CookieThief."