Wednesday, May 21, 2025
HomeAndroidUnkillable Android XHelper Malware Reinstall Itself Again After Factory Reset

Unkillable Android XHelper Malware Reinstall Itself Again After Factory Reset

Published on

SIEM as a Service

Follow Us on Google News

The Android XHelper malware was first identified in October 2019, it is known for its persistent capabilities.

Once it gets installed to the device, the malware remains active even after the user deletes it and restore the factory settings.

Android XHelper Malware

The malware distributed by threat actors as a popular cleaner and speed-up app for smartphones, but it doesn’t have any cleaner or speed-up functions.

- Advertisement - Google News

Once the cleaner or a speed-up app gets installed it simply disappears from the main screen or from the program menu.

According to Kaspersky’s study, Trojan’s payload is encrypted in the file /assets/firehelper.jar sends information about the victim device such as (android_id, manufacturer, model, firmware version, etc) to attacker’s server.

From the attacker’s server, it downloads the second malicious module “Trojan-Dropper.AndroidOS.Agent.of” which decrypts payload using the native library.

The next dropper is “Trojan-Dropper.AndroidOS.Helper.b“, which launches “Trojan-Downloader.AndroidOS.Leech.p” for further infection.

Leech.p further downloads “HEUR:Trojan.AndroidOS.Triada.dd” which uses exploits for escalating privileges on the victim’s device.

“Malicious files are stored sequentially in the app’s data folder, which other programs do not have access to. This matryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are known to security solutions,” reads the Kaspersky blog post.

If the victim’s running Android versions 6 and 7 from Chinese manufacturers then XHelper able to escalate privileges and install’s malicious files directly in the system partition.

Android XHelper Malware
Total number of attacks 2019-2020

The malware adds a number of files to the /system/bin folder and added calls to install-recovery.sh which makes Triada run at system startup.

The simplest method to remove is by completely reflashing the phone, using a smartphone infected with xHelper is extremely dangerous.

Some users said that they suppressed Xhelper activity by turning off permissions and locking them using app lock software. Some users said that “tried denying permissions to xHelper without uninstalling, but it turned on all permissions again.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Critical Vulnerability in Palo Alto GlobalProtect Gateway & Portal Enables Remote Code Execution

Palo Alto Networks has assigned the vulnerability a LOW severity rating but urges administrators to apply...

Hazy Hawk Targets DNS Vulnerabilities to Hijack Cloud Resources and Spread Malware

The threat actor gained attention in February 2025 after successfully hijacking a subdomain of...

Critical VMware ESXi & vCenter Flaw Allows Remote Execution of Arbitrary Commands

VMware by Broadcom has released critical security updates to address multiple severe vulnerabilities affecting...

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hazy Hawk Targets DNS Vulnerabilities to Hijack Cloud Resources and Spread Malware

The threat actor gained attention in February 2025 after successfully hijacking a subdomain of...

More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as...

Hackers Use Weaponized RAR Archives to Deliver Pure Malware in Targeted Attacks

Russian organizations have become prime targets of a sophisticated malware campaign deploying the Pure...