Security experts have identified a particularly stubborn strain of Android malware that somehow manages to reinstall it on a victim’s device, even after they’ve performed a full factory reset.
The malware, known as xHelper, was first discovered and documented by researchers from security company Malwarebytes in May 2019. It was identified as a trojan dropper, which installs malicious APKs on your phone without your knowledge or permission.
If you start to see new app and notification icons that you don’t recognize, there’s a chance that your phone has been infected with this type of malware, though it’s not always obvious; malware is often disguised as legitimate system applications, and the icons can be hidden away.
As Ars Technica explains, Malwarebytes has now published an account from a victim who went to huge lengths to purge her phone of two xHelper variants, including performing a full factory reset. Each time she managed to remove the malware, it reappeared on her device within an hour.
Malware is a serious problem for Android phones, which typically come with between 100 and 400 apps pre-installed. If just one of those apps is compromised, devices will be infected before they even find their way into customers’ hands.
The security researchers suspected this might be the issue with xHelper, particularly since the infected phone was from a lesser-known manufacturer, but even removing its pre-installed apps didn’t solve the problem.
Eventually, an exploration of the phone’s system files revealed an APK that installed an xHelper variant on the phone. Strangely, this seemed to be triggered by something in the Google Play Store app, though Google Play itself was unaffected.
The team managed to remove the malware, but it was unclear how the file came to be on the phone in the first place, or how it survived a factory reset.