The Android malware, xHelper infected over 45,000 devices in 2019, and coupled with the ability to re-install itself on devices after users delete it or factory reset their devices, makes it almost impossible to remove.
While Igor Golovin, malware analyst at Kaspersky, finally solved the mystery by unveiling some technical details on the mechanism used by xHelper, and also figured out the best way to remove the malware from infected devices.
But xHelper malware has ultimately returned this year with the Triada Trojan, which is a virulent payload, and according to researchers, it's virtually indestructible by the common user.
How xHelper managed to remain undetectable?
The Android malware disguises itself as a cleaner or speed-up app, which in reality there is absolutely nothing of such related to it. Once it is installed on a device, it will disappear from both the main screen and the program menu.
And it takes only a tech-savvy user to find it by inspecting the list of installed apps in the system settings, with the payload encrypted in the file /assets/firehelper.jar (as the encryption is practically unchanged from its earlier versions, and it isn't difficult to decrypt).
The main task of the payload is to send identity information of the targeted device (phone model, android_id, manufacturer, firmware version, etc.) to an attacker-control remote web server. It is capable of gaining root access mainly on devices running older Android versions (Android 6 and 7), mostly from Chinese ODMs, according to Golovin.
How to effectively Remove xHelper
As mentioned above, simply deleting xHelper app does not entirely remove it from the Android system, as the program com.diag.patches.vm8u is already installed in the system partition, it re-installs xHelper and other malware at any instance.
The best way to remove it is replacing the modified library with that from the original firmware for your Android phone which could re-enable mounting system partition in the write-mode to remove xHelper Android malware permanently.
And such a procedure can only be carried out by a tech-savvy user, so to get rid of the malware easily, affected users are advised to simply re-flash their phones with a copy of original firmware downloaded from the vendors' official website or install another compatible Android ROM.