Android smartphone owners must be getting pretty used to the daily warnings about malware-filled apps and device-infecting adware. Threats continue to arrive thick and fast but the latest alert could be one the most concerning to date.
A new report from the team at Malwarebytes has uncovered a new attack which is able to reinfect a phone even after everything is deleted and a full factory reset has been performed.
The bug is so bad that mobile researcher, Nathan Collier, said: “This is by far the nastiest infection I have encountered.”
This shock Android Trojan is called xHelper and was actually discovered last year with it aimed at infecting Google-powered devices with malware.
However, it now seems this attack is far more serious than first thought with one Android user getting in touch with Malwarebytes to report the bug kept returning despite her performing full factory resets.
Speaking on a forum page the owner said: “I have a phone that is infected with the xhelper virus. This tenacious pain just keeps coming back.
“I’m fairly technically inclined so I’m comfortable with common prompt or anything else I may need to do to make this thing go away so the phone is actually usable!”
After digging into the settings and routing through endless folders on her phone, Malwarebytes discovered a hidden package that is able to re-install itself each time a device is reset.
READ MORE: Android battery life: Google could be preparing a HUGE boost for your smartphone
Google Android warning – new threat discovered and here’s what all users need to do
More concerning is the discovery that something within Google Play was actually triggering the re-infection.
Malwarebytes is keen to point out that Google Play is not actually infected with malware. However, something within it is somehow triggering the re-infection,
Furthermore, that something could also be using Google PLAY as a smokescreen, falsifying it as the source of malware installation when in reality, it was coming from someplace else.
“It’s important to realise that unlike apps, directories and files remain on the Android mobile device even after a factory reset. Therefore, until the directories and files are removed, the device will keep getting infected,” said Malwarebytes’ Nathan Collier.
If you are experiencing re-infections of xHelper, here’s how to remove it:
• Install a file manager from the Google Play Store that has the capability to search files and directories
• Disable the Google Play Store temporarily to stop re-infection
• Go to Settings > Apps > Google Play Store
• Press Disable button
• Run a scan in Malwarebytes for Android to remove xHelper and other malware
• Manually uninstalling can be difficult, but the names to look for in Apps info are fireway, xhelper, and Settings (only if two settings apps are displayed)
• Open the file manager and search for anything in storage starting with com.mufc
• If found, make a note of the last modified date
Speaking about the new threat Collier added: “This, however, marks a new era in mobile malware. The ability to re-infect using a hidden directory containing an APK that can evade detection is both scary and frustrating.
“We will continue analysing this malware behind the scenes. In the meantime, we hope this at least ends the chapter of this particular variant of xHelper.”