Over the past six months, a new Android malware strain has made a name for itself after popping up on the radar of several antivirus companies, and annoying users thanks to a self-reinstall mechanism that has made it near impossible to remove.

Named xHelper, this malware was first spotted back in March but slowly expanded to infect more than 32,000 devices by August (per Malwarebytes), eventually reaching a total of 45,000 infections this month (per Symantec).

The malware is on a clear upward trajectory. Symantec says the xHelper crew is making on average 131 new victims per day and around 2,400 new victims per month. Most of these infections have been spotted in India, the US, and Russia.

Installed via third-party apps

According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.

The good news is that the trojan doesn't carry out destructive operations. According to both Malwarebytes and Symantec, for most of its operational lifespan, the trojan has shown intrusive popup ads and notification spam. The ads and notifications redirect users to the Play Store, where victims are asked to install other apps -- a means through which the xHelper gang is making money from pay-per-install commissions.

Image: Malwarebytes

But the thing that's most "interesting" is that xHelper doesn't work like most other Android malware. Once the trojan gains access to an Android device via an initial app, xHelper installs itself as a separate self-standing service.

Uninstalling the original app won't remove xHelper, and the trojan will continue to live on users' devices, continuing to show popups and notification spam.

"Unremovable"

Furthermore, even if users spot the xHelper service in the Android operating system's Apps section, removing it doesn't work, as the trojan reinstalls itself every time, even after users perform a factory reset of the entire device.

How xHelper survives factory resets is still a mystery; however, both Malwarebytes and Symantec said xHelper doesn't tamper with system services system apps. In addition, Symantec also said that it was "unlikely that Xhelper comes preinstalled on devices."

Image: Malwarebytes

In some cases, users said that even when they removed the xHelper service and then disabled the "Install apps from unknown sources" option, the setting kept turning itself back on, and the device was reinfected in a matter of minutes after being cleaned.

Over the past few months, many users have complained about xHelper's near "unremovable" state, on sites like Reddit, Google Play Help [1, 2], or other tech support forums.

Image: ZDNet

Some users reported having success with some paid versions of mobile antivirus solutions, but others did not.

In a blog post published today, Symantec said the trojan is in a constant evolution, with new code updates being shipped out on a regular basis, explaining why some antivirus solutions manage to remove xHelper in some instances, but not later versions.

There appears to be a battle between the xHelper crew and mobile antivirus solutions, with each one trying to get the better of the other.

Of note is that both Symantec and Malwarebytes have also put out a warning regarding xHelper's features. While the trojan is currently engaging in spam and ad revenue, it also possesses other, more dangerous features. Both companies said xHelper can download and install other apps, a function that the xHelper crew could use at any point to deploy second-stage malware payloads, such as ransomware, banking trojans, DDoS bots, or password stealers.