Xhelper: The Android Malware That Can’t be Removed

At some point in your cyber life, you have probably run across malware that seems to persist no matter what you do to remove it. Your antivirus doesn’t do the job so you search online for help. Eventually, you may find somewhat daunting virus removal instructions and try to follow them, yet, the next time you reboot, you see that the malware is still active. That’s when things get serious. In order to get rid of this malware, you learn that you’ll have to edit the registry. This is akin to brain surgery, and you will be warned with something like the following from Microsoft.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

You are then given complicated instructions on backing up your registry. But, at this point, many users will back away. The risk simply seems too great.

I had this problem when I tried to activate an old laptop. In literally the first seconds of going online, I picked up some Chinese malware. I was given certain alternatives to select from in Chinese, none of which I understood, and ended up with adware that took full control of my browser. Nothing I did stopped it. Eventually, I had to reinstall the operating system.

Before I get into the mechanics behind Xhelper, a new Android malware that is making the rounds, there are a few things to understand about how malware can be made to persist. Changing the registry is just one of the steps such malware takes. It does this to insure that a reboot will simply reinstall it. If the malware gets enough control of your device, it will compromise any security tools you may have. For example, it will make your antivirus programs useless or blind to the particular malware. In its efforts to hide from detection, the malware can riddle the infected computer with bad files that may compromise the computer in a variety of ways, some of which will make the computer virtually inoperative. If this is the case, you will probably have to reinstall the operating system. As Jesper M. Johansson, Security Program Manager at Microsoft TechNet, admits, “the only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).”

All operating systems are vulnerable to such attacks, not only Microsoft. Back in July, an Android-targeting malware infected 25 million phones worldwide. The malware worked by having the victim download and install an infected app. Most of these bad apps came from third party sites, not the official Google Play app site. The app would then send out fake updates that would replace real apps with infected versions. This malware seemed to target WhatsApp, but other legitimate apps were replaced as well. The infected apps were reprogrammed to serve up ads that the developers hoped would be clicked on. Their purpose was clearly to make money. The malware was traced to China.

Although this malware just called up ads, it could have done much worse. It could have recorded your online browsing sessions and captured your passwords, for example. And, although the infected apps were found on third party sites, researchers at Check Point claimed they found indications that the developers were targeting Google Play by uploading apps deploying similar malware.

This all seemed to set the stage for a much more malicious Android malware named by Symantec as Xhelper.

Xhelper is in its development stage. So far, ‘only’ 45,000 infections have been reported, although more infections may exist and have simply not been recognized. It is not clear how the malware gets on the devices. Of course, bad apps seem the most likely source, but there is some indication that the infected apps came pre-installed on cheap Chinese smartphones. These apps would then contact the malware developers to get malware installed. Keep in mind that Xhelper itself is not an app so it will not appear in the list of apps on a device. It launches itself when the user performs certain functions, as seen in the code below from Symantec.


Xhelper will launch when power is connected or disconnected, the phone is booted, its connectivity is changed, or even when its brightness is changed. In a 2017 study, it was found that these so-called piggybacked apps were launched most frequently by these 10 events.


If, for some reason, the services the app was using were stopped by the user, an alarm is triggered that will re-launch the malware after a certain amount of time has passed.

Once Xhelper sets up a connection to its C&C server, it will download and install whatever the malware developers feel is best. They apparently have a wide variety of malware to choose from. This could be anything from ads to attract clicks to RATs. The connections to the C&C are encrypted to remain undetected.

Many people, who were victims of Xhelper, complain that the malware persists even though they have performed a factory reset on the device. The only way this could occur is if the smartphone was pre-infected at the factory level. According to Symantec, it may not be a pre-installed app that is doing it, but code inserted in one of the system files.

If the code is inserted at the factory level, there is not really much a victim can do. It also suggests that the smartphone manufacturer either does not know it packaged bad apps on its phones, or was forced to install them through governmental pressure. This point was brought out by Bruce Schneier who wrote that Xhelper is “a weird piece of malware. That level of persistence speaks to a nation-state actor. The continuous evolution of the malware implies an organized actor. But sending unwanted ads is far too noisy for any serious use. And the infection mechanism is pretty random. I just don’t know.”

No known removal instructions for Xhelper exist. You may find some generic instructions, and these may work on certain phones, but most people will still find that the malware persists. Lots of discussions among IT professionals are taking place online trying to figure out how Xhelper is managing to keep control of a device even after a factory reset. If someone figures this out, I’ll let you know. Until then, keep away from all third party apps and be ready to buy a new phone.

2 thoughts on “Xhelper: The Android Malware That Can’t be Removed

    1. But it would still be a mystery as to why it would survive a factory reset, which is why I think it may have been built into the phones. It may be a line of code in the boot sector that triggers other processes to take place. There may also be many modes of attack as the designers work on it.

      Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s