xHelper is a very dangerous malware attacking Android devices, which became famous for being able to survive restoring the system to factory settings. Analysts did not know for a long time how it works.
xHelper malware has appeared at the end of 2019. In October, the malware has infected 45 thousand devices and did not end at that time. This unique threat is able to survive restoring the smartphone to factory settings. The mechanism of its operation remained secret for several months.
Here is the secret of the malware that you cannot remove from Android
Kaspersky Lab specialists have found and analyzed the threat. The most interesting thing about it is that it was able to install itself on the system partition.
In normal Android operating mode, this part of the memory is mounted read-only. It is therefore not possible to delete xHelper files during traditional smartphone use. Its components are camouflaged between system files necessary for Android operation.
The attributes assigned to xHelper files do not allow removal even by a user with root privileges. By the way, xHelper removes all root-related applications (for example, Superuser). As if that was not enough, the malware modifies Android libraries to prevent the mounting of the system partition for writing in any conditions.
In fact, the only way to get rid of this malware is to flash your smartphone from a restore version. In the recovery mode, you need to upload a completely new system image. And here we come to another attraction – many Android images for cheaper smartphones from China already had an “add-on” that downloaded xHelper.
Recall that the malware primarily affects Android versions 6 and 7, so users with newer versions are safe. Estimates for the number of affected phones infected by xHelper previously ranged from around 33,000 to 45,000, but again, only devices running older, less secure versions of Android should be susceptible to the malware.