'Unkillable' Android malware can take over your phone: What to do

A Motorola Moto G5 phone running stock Android 7 Nougat.

(Image credit: SB7/Shutterstock)

Back in October, we warned you of a particularly nasty strain of Android malware called xHelper that had already infected 45,000 phones and seemed to be nearly impossible to remove. Even factory resets didn't help.

Now researchers from Kasperky have figured out just how xHelper makes itself "unkillable," and also how to, well, kill it.

The best Android antivirus apps: Keep your smartphone clean
Best smartphones you can buy right now
New: Galaxy Note 20 will have features iPhone 12 can't match

The xHelper Trojan, which "disguises itself as a popular cleaner and speed-up app," behaves like a matryoshka, a Russian nesting doll, using a multi-stage infection process, Kaspersky's Igor Golovin wrote in a blog post earlier this week.

The end result is infection by Triada malware, which Kaspersky once called "organized crime on Android." This new version of Triada embeds itself deep in the Android system partition, from which it can re-install itself and other malware after a factory reset.

And because at least three of the malicious apps involved in the xHelper/Triada infection process are "droppers" meant to install pretty much anything on a phone, you'll be at risk from all sorts of malware.

What to do if you're infected by xHelper

From there, Golovin writes, the only option is to completely reflash the phone's firmware, which may be beyond the ken of many Android users.

However, researchers at Malwarebytes show how to remove at least one variant of xHelper by using a file-manager app and one of the best Android antivirus apps.

Either method may be "pointless" in some cases, Golovin writes, because "the firmware of smartphones attacked by xHelper sometimes contains preinstalled malware that independently downloads and installs programs (including xHelper)."

The good news is that xHelper seems to affect primarily cheap Chinese-made smartphones running Android 6 Marshmallow or Android 7 Nougat, and which get their apps from sources other than the official Google Play store.

If you're using a flagship or a mid-range Android phone, you've left the settings alone so it doesn't accept apps from "unknown sources," and, yep, you're running one of the best Android antivirus apps, you're probably in the clear.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.