Saturday, May 3, 2025
HomeAndroidUnkillable Android XHelper Malware Reinstall Itself Again After Factory Reset

Unkillable Android XHelper Malware Reinstall Itself Again After Factory Reset

Published on

SIEM as a Service

Follow Us on Google News

The Android XHelper malware was first identified in October 2019, it is known for its persistent capabilities.

Once it gets installed to the device, the malware remains active even after the user deletes it and restore the factory settings.

Android XHelper Malware

The malware distributed by threat actors as a popular cleaner and speed-up app for smartphones, but it doesn’t have any cleaner or speed-up functions.

- Advertisement - Google News

Once the cleaner or a speed-up app gets installed it simply disappears from the main screen or from the program menu.

According to Kaspersky’s study, Trojan’s payload is encrypted in the file /assets/firehelper.jar sends information about the victim device such as (android_id, manufacturer, model, firmware version, etc) to attacker’s server.

From the attacker’s server, it downloads the second malicious module “Trojan-Dropper.AndroidOS.Agent.of” which decrypts payload using the native library.

The next dropper is “Trojan-Dropper.AndroidOS.Helper.b“, which launches “Trojan-Downloader.AndroidOS.Leech.p” for further infection.

Leech.p further downloads “HEUR:Trojan.AndroidOS.Triada.dd” which uses exploits for escalating privileges on the victim’s device.

“Malicious files are stored sequentially in the app’s data folder, which other programs do not have access to. This matryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are known to security solutions,” reads the Kaspersky blog post.

If the victim’s running Android versions 6 and 7 from Chinese manufacturers then XHelper able to escalate privileges and install’s malicious files directly in the system partition.

Android XHelper Malware
Total number of attacks 2019-2020

The malware adds a number of files to the /system/bin folder and added calls to install-recovery.sh which makes Triada run at system startup.

The simplest method to remove is by completely reflashing the phone, using a smartphone infected with xHelper is extremely dangerous.

Some users said that they suppressed Xhelper activity by turning off permissions and locking them using app lock software. Some users said that “tried denying permissions to xHelper without uninstalling, but it turned on all permissions again.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

New StealC V2 Upgrade Targets Microsoft Installer Packages and PowerShell Scripts

StealC, a notorious information stealer and malware downloader first sold in January 2023, has...

Subscription-Based Scams Targeting Users to Steal Credit Card Information

Cybersecurity researchers at Bitdefender have identified a significant uptick in subscription-based scams, characterized by...

RansomHub Taps SocGholish: WebDAV & SCF Exploits Fuel Credential Heists

SocGholish, a notorious loader malware, has evolved into a critical tool for cybercriminals, often...

Hackers Weaponize Go Modules to Deliver Disk‑Wiping Malware, Causing Massive Data Loss

Cybersecurity researchers uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Weaponize Go Modules to Deliver Disk‑Wiping Malware, Causing Massive Data Loss

Cybersecurity researchers uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem...

Tsunami Malware Surge: Blending Miners and Credential Stealers in Active Attacks

Security researchers have recently discovered a sophisticated malware operation called the "Tsunami-Framework" that combines...

Hackers Exploit New Eye Pyramid Offensive Tool With Python to Launch Cyber Attacks

Security researchers from Intrinsec have published a comprehensive analysis revealing significant overlaps in...