xHelper - Warning for all Android users!

[Lucius]

Although smartphone security is often overlooked, there are more and more malware threats emerging every day, and most of them are actually hidden in apps that you can download on the Google Play Store.

I want to warn all Android OS users that an application has emerged that installs very dangerous malware on smartphones, it is called xHelper, and according to all reports, it is almost impossible to remove it from an infected phone. What xHelper is doing at the moment is very aggressive ad serving, not only via a mobile browser (mostly in redirecting to unwanted sites) but also on the main screen of your smartphone.

Some users report that this app is also installed some other apps without the owner’s permission, and it is impossible to remove it even with factory/hard reset. The reason for that is that this app manages to isolate its files from the main OS, and that regardless of deletion/uninstall always finds a way to reinstall itself. There are few reports of successful removal with some tools, but xHelper adjusts very quickly and disables all possible security programs.

I personally had the opportunity to try to repair an infected smartphone with this trojan, and despite all the methods known to me, removal was unsuccessful in all cases.

To reduce the possibility of infection, check each app before downloading from Google Play (by search for rewiew), and never download apps from any other location. It is also important to keep your smartphone up to date with security updates, and that you use any security software that can prevent such bad apps to install on your device.

Read more :

45,000 Android devices infected by new unremovable xHelper malware
A nearly impossible to remove Android malware has infected 45,000 devices
Symantec - xHelper

[Velkro]

Some users report that this app is also installed some other apps without the owner’s permission, and it is impossible to remove it even with factory/hard reset. The reason for that is that this app manages to isolate its files from the main OS, and that regardless of deletion/uninstall always finds a way to reinstall itself. There are few reports of successful removal with some tools, but xHelper adjusts very quickly and disables all possible security programs.

I personally had the opportunity to try to repair an infected smartphone with this trojan, and despite all the methods known to me, removal was unsuccessful in all cases.

That is actually amazing. There is little to none or none viruses/trojan horses that were so hard to remove in past.
Google which is android creator, should intervene and remove it at all costs because its in their best intrest to keep android semi-secure.
I will dig into that, but this is great warning and wake up call that android devices are not meant to keep any bigger amount of BTC on them.

[nelson4lov]

Thanks for the heads up. Android OS looks like the most prone OS to malwares and viruses. I've never see Apple phones being so vulnerable before. Once there's a new malware heartbreak, Android users are the first to be infected. The best way to avoid malwares is simply not to install apps outside of playstore/unknown sources. Stamp it on your foreheadand memory and your Android experience won't be made miserable by malwares. Malware infected apps rarely makes it to be added on playstore. On a lighter note, I won't advise anyone to rely on Mobile antiviruses.

[NeuroticFish]

I personally had the opportunity to try to repair an infected smartphone with this trojan, and despite all the methods known to me, removal was unsuccessful in all cases.

I am quite scared of the (lack of) security mobile phones offer nowadays. I use a 3rd party antivirus for checking the things I install, but I am aware that some things can easily hidden from antiviruses too.
The phone you had in hand was rooted or not? I hope that only rooted phones are affected...

Also, maybe putting another ROM onto that phone would help get rid of that piece of.. trojan.

Malware infected apps rarely makes it to be added on playstore.

It was this year when Google announced me I have installed an app that doesn't behave right. It was only some ad abuse, I think, but I had the app installed for over a year until Google woke up.

[xaRocket]

<..>
Some users report that this app is also installed some other apps without the owner’s permission, and it is impossible to remove it even with factory/hard reset. The reason for that is that this app manages to isolate its files from the main OS, and that regardless of deletion/uninstall always finds a way to reinstall itself. There are few reports of successful removal with some tools, but xHelper adjusts very quickly and disables all possible security programs.

<...>

This might be the answer to the case that I experienced a few weeks ago. I am not sure/know whether my smartphone is infected xHelper, but what happened to my smartphone is exactly what you mentioned.

[Lucius]

Google which is android creator, should intervene and remove it at all costs because its in their best intrest to keep android semi-secure.

Google as the owner of Android OS can only make some security improvements, but it cannot affect the way users install apps on their smartphones. If their service Google Play is the source of the infection (and in most cases this is true), they should check any app before approval, and that is not something they want/can do at that time.

I am quite scared of the (lack of) security mobile phones offer nowadays. I use a 3rd party antivirus for checking the things I install, but I am aware that some things can easily hidden from antiviruses too.
The phone you had in hand was rooted or not? I hope that only rooted phones are affected...

I can only say that that phone is got this infection after owner is downloaded some sport-related app from Google Play, but I am not sure is phone rooted or not. What I can say that it was a phone without any protection and no updates from Google in the last 2 years.

xHelper is not a new type of malware, and many antivirus software has protection from that threat, but removal from the infected device is a big problem since malware is adapting.

What I found on the page from Symantec is that this malware is possible targeting Jio 4G network users in India, who already have a free app that protects them from xHelper.

Symantec - xHelper

[bitmover]

To reduce the possibility of infection, check each app before downloading from Google Play (by search for rewiew), and never download apps from any other location. It is also important to keep your smartphone up to date with security updates, and that you use any security software that can prevent such bad apps to install on your device.

That's good advice.

Many users are tempted to download an app directly or use some other platforms like apkpure because there are restrictions region based, or device based (forcing you to buy a new phone to download an app, which runs smoothly in an old one)

There is a risk downloading apps from those sources as you pointed out

[desticy]

In order not to fall into such dubious situations associated with infected programs, it is best not to have anything with direct access to your money on your device.
For example, if your phone has access to the exchange, make sure that fingerprint or face-id verification is also enabled.

Almost any device can be hacked, especially if it is on the android, especially if you install some third-party applications.
Therefore, on a working device, I never store especially important data because I am afraid of hacking. Although I have lphone.

[TrevorS]

To reduce the possibility of infection, check each app before downloading from Google Play (by search for rewiew), and never download apps from any other location. It is also important to keep your smartphone up to date with security updates, and that you use any security software that can prevent such bad apps to install on your device.

That's good advice.

Many users are tempted to download an app directly or use some other platforms like apkpure because there are restrictions region based, or device based (forcing you to buy a new phone to download an app, which runs smoothly in an old one)

There is a risk downloading apps from those sources as you pointed out

I do not fully agree with you. Checking reviews does not mean anything. To find out that the application can be compromised only after a long time, when it starts to act actively.
If you installed it relying on reviews, you will fall into the trap with all other users. Ideally, you need to install open source applications, or at least refrain from installing for several months if the application is new and little known.

[NeuroticFish]

I do not fully agree with you. Checking reviews does not mean anything. To find out that the application can be compromised only after a long time, when it starts to act actively.
If you installed it relying on reviews, you will fall into the trap with all other users. Ideally, you need to install open source applications, or at least refrain from installing for several months if the application is new and little known.

That's correct, if the discussion was on the reviews from Play Store. Also most apps have a good number of reviews made/bought by the dev, which are obviously good no matter what and when the app is young, they can fool you.
If the discussion is about reviews from blogs and specialized websites, the risk should be smaller, especially if the review exists on multiple sites and some of them are well known. At that point the app may be mature enough too.

I can only say that that phone is got this infection after owner is downloaded some sport-related app from Google Play, but I am not sure is phone rooted or not. What I can say that it was a phone without any protection and no updates from Google in the last 2 years.
[...]
What I found on the page from Symantec is that this malware is possible targeting Jio 4G network users in India, who already have a free app that protects them from xHelper.

OK, this is somewhat more reassuring (for me), thanks.

[crairezx20]

Do you think new phones are also infected by xHelper? or this is only for older devices?

I noticed that some devices like OPPO or Vivo are always showing ads even you installed only one app compared to branded Phones like Samsung and HTC.

So I think only china based phones like both Vivo, OPPO, and china phones are infected with xHelper because most of these phones will give you a headache while using them due to many ads. This is just my guess since these two phones are the most sold products this year.

[Theb]

There is a google support thread about this xhelper problem and after reading most of the comments all I can see is the malware is not doing anything besides showing ads and redirecting to unwanted websites. Factory resetting the phone isn't a solution and no one has confirmed yet about how rooting your phone can do any kind of help so I think the ones who already have it are left with no choice but to wait for an update for the antivirus softwares to have a solution for this one. Also I wouldn't advice anyone deleting the files via usb and connecting it to their desktop computer as it might try to migrate into your personal computer so it's best to limit it on your phone right now.

[Strongkored]

If the discussion is about reviews from blogs and specialized websites, the risk should be smaller, especially if the review exists on multiple sites and some of them are well known. At that point the app may be mature enough too.

Review from specialized websites more trustworthy instead blog review (personal blog), sometimes blogger only re-write from other blog without trying first.

What I found on the page from Symantec is that this malware is possible targeting Jio 4G network users in India, who already have a free app that protects them from xHelper.

That's why India becomes a country with so many androids infected with xhelper.

It seems my android got infected too, see the indication android infection xhelper is got many notification ads, but the ads only pop up when watch sport streaming.

Besides only install app from google play store, there is 4 way how reduce the risk malware infection:
1. Always update the system and apps
2. Note the access permit requested from app
3. Backup important data
4. Install antiviruses and official security which suitable with the device to protect device also the data.

(Free translate from this websites)

[Lafu]

Damn looks like the hackers and scammers gets everyday smarter , thanks for the Information about that App.

Readed the article you are posted Symantec - xHelper and wow i must say , crazy shit to get rid of the App.
Glad that i dont have it and yeb as others already have written check what you download on googlestore the same as you should when you download something on the internet on your PC.
Reporting the App would be the best way and as more report them so faster it gets deleted there.

If this keeps going with all that Malware and Bad software you need in the future 2 Pc's , one for serfing on the inet and the other safe for wallets etc.

[Lucius]

Do you think new phones are also infected by xHelper? or this is only for older devices?

New smartphones should not be infected by anything, who would buy them if they already had something like xHelper? The phone is only getting an infection if user downloads a malicious app, but by what can be read some AVs can protect users to get infected, only problem is how to remove that malware from an infected phone.

I can not say anything about Vivo&Oppo, but I also have a Chinese phone (Huawei), and I have no problem with it regarding any unwanted advertisements. In fact, every Huawei comes with an app called Optimizer, and part of that app is AV software (Avast).

...all I can see is the malware is not doing anything besides showing ads and redirecting to unwanted websites.Also I wouldn't advice anyone deleting  the files via usb and connecting it to their desktop computer as it might try to migrate into your personal computer so it's best to limit it on your phone right now.

I have one infected phone in my hand, trust me that using such an infected phone becomes a real nightmare. Although the symptoms may sound trivial at the moment, the one behind this program may have other much more dangerous intentions. The fact is that the malware is constantly evolving and resisting any attempt to remove it from any infected phone.

Deleting files is completely useless at this point, and it is also not known that this malware can infect Windows or any other OS.