Friday, April 16, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

There’s finally a way to remove xHelper, the unremovable Android malware

February 16, 2020
in Internet Security
Zero-day disclosed in Android OS
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

It has taken security researchers nearly ten months to discover a reliable method of cleaning smartphones infected with xHelper, a type of Android malware that, until recently, has been impossible to remove.

The removal technique is described at the end of this article, but first some context for readers who want to learn more about xHelper.

You might also like

Mozilla to start disabling FTP next week with removal set for Firefox 90

Swinburne University confirms over 5,000 individuals affected in data breach

OWC partners with Acronis protect your backups from ransomware attacks

This particular malware strain has caused quite the pain for users all over the world in the past ten months. The malware was first spotted back in March 2019, when users began complaining on various internet forums about an app they weren’t able to remove, even after factory resets.

These apps were responsible for perstering users with intrusive popup ads and notification spam. Nothing really malicious, but still very annoying.

As the year progressed, xHelper campaigns expanded the malware’s reach, infecting more and more devices. According to a Malwarebytes report, there were around 32,000 infected devices by August, a number that later reached 45,000 by late October, when Symantec researchers also published their own report on the threat.

According to researchers, the source of these infections was “web redirects” that sent users to web pages hosting Android apps. The sites instructed users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps eventually downloaded and installed the xHelper trojan.

But while discovering its source, reach, and point of infection was easy, what confounded security researchers last year was that they couldn’t remove the malware from a device by traditional methods, such as uninstall the original xHelper app or by a factory reset.

Every time a user would factory reset the device, the malware would simply pop up a few hours later, reinstalling itself with no user interaction.


Image: ZDNet

The only way to remove xHelper was to perform a full device reflash by reinstalling the entire Android operating system, a solution that was not possible for all infected users, many of whom didn’t have access to the correct Android OS firmware images to perform a reflash.

Some clues emerge

Since coming across the malware last year, security researchers from Malwarebytes have continued to look into the threat.

In a blog post today, the Malwarebytes team say that while they still haven’t figured out exactly how the malware reinstalls itself, they did discover enough information about its modus operandi in order to remove it for good and prevent xHelper from reinstalling itself after factory resets.

The Malwarebytes team says that xHelper has apparently found a way to use a process inside the Google Play Store app in order to trigger the re-install operation.

With the aid of special directories it had created on the device, xHelper was hiding its APK on disk to survive factory resets.

“Unlike apps, directories and files remain on the Android mobile device even after a factory reset,” says Nathan Collier, Senior Malware Intelligence Analyst at Malwarebytes.

Collier believes that once the Google Play Store app performed some yet-to-be-determined operation (supposedly some kind of scan), it reinstalled itself.

Removal instructions

Collier has now put together a series of steps that users can follow to remove the xHelper malware from devices and prevent it from reinstalling itself.

Of note, these instructions rely on users installing the Malwarebytes for Android app, but this app is free to use, so it shouldn’t be any issue for users.

Step 1: Install a file manager from Google Play that has the capability to search files and directories. (ex: Amelia used File Manager by ASTRO).

Step 2: Disable Google PLAY temporarily to stop re-infection.

  • Go to Settings > Apps > Google Play Store
  • Press Disable button

Step 3: Run a scan in Malwarebytes for Android to identify the nameof the app that hides the xHelper malware. Manually uninstalling can be difficult, but the names to look for in the Android OS Apps info section are fireway, xhelper, and Settings (only if two settings apps are displayed).

Step 4: Open the file manager and search for anything in storage starting with com.mufc.

Step 5: If found, make a note of the last modified date.

  • Sort by date in file manager
  • In File Manager by ASTRO, you can sort by date under View Settings.

Step 6: Delete anything starting with com.mufc. and anything with same date (except core directories like Download):

xhelper-file-manager.png

Image: Malwarebytes

Step 7: Re-enable Google PLAY

  • Go to Settings > Apps > Google Play Store

Credit: Zdnet

Previous Post

Bloomberg-Clinton 2020 Sends One Signal to Bernie Voters: ‘Screw You!’

Next Post

Facebook AI (Artificial Intelligence): Will M&A Help?

Related Posts

Mozilla to start disabling FTP next week with removal set for Firefox 90
Internet Security

Mozilla to start disabling FTP next week with removal set for Firefox 90

April 16, 2021
Swinburne University confirms over 5,000 individuals affected in data breach
Internet Security

Swinburne University confirms over 5,000 individuals affected in data breach

April 16, 2021
OWC partners with Acronis protect your backups from ransomware attacks
Internet Security

OWC partners with Acronis protect your backups from ransomware attacks

April 16, 2021
NordVPN review: A market leader with consistent speed and performance
Internet Security

NordVPN review: A market leader with consistent speed and performance

April 16, 2021
Microsoft rolls out Edge 90, with new history search, Kids Mode, to mainstream users
Internet Security

Microsoft rolls out Edge 90, with new history search, Kids Mode, to mainstream users

April 16, 2021
Next Post
3 Kinds Biases Found In AI Datasets

Facebook AI (Artificial Intelligence): Will M&A Help?

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Ethics Leadership Continues to Churn at Google; Bengio Out, Dr. Croak is In 
Artificial Intelligence

Ethics Leadership Continues to Churn at Google; Bengio Out, Dr. Croak is In 

April 16, 2021
How To Ensure Your Machine Learning Models Aren’t Fooled
Machine Learning

How To Ensure Your Machine Learning Models Aren’t Fooled

April 16, 2021
Mozilla to start disabling FTP next week with removal set for Firefox 90
Internet Security

Mozilla to start disabling FTP next week with removal set for Firefox 90

April 16, 2021
22-Year-Old Charged With Hacking Water System and Endangering Lives
Internet Privacy

Severe Bugs Reported in EtherNet/IP Stack for Industrial Systems

April 16, 2021
QScout Quantum Computer from Sandia Labs Open for Research Business  – AI Trends
Artificial Intelligence

QScout Quantum Computer from Sandia Labs Open for Research Business  – AI Trends

April 16, 2021
Scientists use machine learning to classify millions of new galaxies
Machine Learning

Scientists use machine learning to classify millions of new galaxies

April 16, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Ethics Leadership Continues to Churn at Google; Bengio Out, Dr. Croak is In  April 16, 2021
  • How To Ensure Your Machine Learning Models Aren’t Fooled April 16, 2021
  • Mozilla to start disabling FTP next week with removal set for Firefox 90 April 16, 2021
  • Severe Bugs Reported in EtherNet/IP Stack for Industrial Systems April 16, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates