Though this somewhat-new “xHelper” malware has affected a low number of Android users so far (around 45,000, estimates Symantec), the fact that nobody has any clear advice on how to remove it is a worrisome fact. While the odds are good that you won’t get hit with this malware, given its low installation rate so far—even though it’s been active since March—you should still know what it does and how to (hopefully) avoid it.
As Malwarebytes describes, xHelper starts by concealing itself as a regular app by spoofing legitimate apps’ package names. Once it’s on your device, you’re either stuck with a “semi-stealth” version, which drops an xHelper icon blatantly in your notifications—but no app or shortcut icons—or a “full-stealth” version, which you’ll only notice if you visit Settings > Apps & notifications > App Info (or whatever the navigation is on your specific Android device) and scroll down to see the installed “xHelper” app.
What does xHelper do?
Thankfully, xHelper isn’t destructive malware in the sense that it’s not recording your passwords, credit card data, or anything else you’re doing on your device and sending it off to some unknown attacker. Instead, it simply spams you with pop-up advertisements on your device and annoying notifications that all try to get you to install more apps from Google Play—presumably how the xHelper’s authors are making cash from the malware.
The dark side, as reported by ZDNet, is that xHelper can allegedly download and install apps on your behalf. It doesn’t appear to be doing so at the moment, but if this were to happen—coupled with the app’s mysterious ability to persist past uninstallations and factory resets—would be a huge backdoor for anyone affected by the malware.
Wait, I can’t uninstall it?
Yep. This is the insidious part of xHelper. Neither Symantec nor Malwarebytes have any good recommendations for getting this malware off your device once it’s installed, as the mechanisms it uses to persist past a full factory reset of your device are unknown.