The Malware’s History
A new piece of malware named xHelper was discovered in May last year. Malwarebytes researchers first discovered it and “classified what we believed was just another generic Android/Trojan.Dropper, and moved on.”
First investigation
However, Malwarebytes researchers soon saw it rise to one of the top 10 most detected pieces of malware. Consequently, they decided to investigate further. They wanted to know what the source of infection was that was making the Trojan xHelper so widespread. They felt that its prominence couldn’t just be explained as originating from people carelessly installing third-party applications. In this investigation, Malwarebytes researchers discovered that xHelper is being hosted on IP addresses in the United States. Consequently, they concluded that the attacks are targeting the United States. At the end of their analysis the researchers published a blog on their findings and closed the case on xHelper.
Second investigation
Unfortunately, however, that was not the end of the xHelper case. Last month, Malwarebytes was contacted by a user who stated that her Android mobile kept on getting re-infected by xHelper even after doing a factory reset. Factory resets are usually the last resort for getting rid of persistent malware infections. It gets rid of any malware, unless the mobile came with pre-installed malware. In this instance, however, the factory reset did not work. The phone did not contain any pre-installed malware, but the malware infection kept on returning. This intrigued researchers and thus they decided to conduct a further examination.
How was the mobile re-infected by xHelper after the factory reset?
After encountering many blind alleys during their investigation, the researchers discovered the source of the reinfections. They did a search for files and/or directories on the infected mobile whose names started with the string “com.mufc”. xHelper’s malicious package names all contain this string. To the researchers’ astonishment they found a folder with this string still on the mobile. It had not been deleted during the factory reset, as would normally be the case. Hidden inside the folder was an Android Application Package (APK). The APK was a Trojan dropper that downloaded an xHelper variant. The variant in turn, downloaded more malware within seconds and the mobile was thus re-infected. Thus the mystery of how the mobile was being reinfected was solved. Malware researches, however, still haven’t discovered how the mufc folder was created on the mobile in the first place. Nor were they able to discover how the folder was not deleted during the factory reset. Therefore, researches still don’t know how this malware can survive a factory reset.
How to Remove xHelper
To remove xHelper from an infected mobile, the mufc folder, along with all its contents, needs to be deleted from the mobile. To do this an Android file manager is required. Furthermore, the malware is somehow identifying with Google Play as the source of the reinfection. Therefore, Malwarebytes recommends that people in a similar position first disable the Google Play Store app before removing the folder.
