'Unremovable' Malware Infects 45,000 Android Phones: What You Need to Know

A rendering of a digital Trojan horse.
(Image credit: posteriori/Shutterstock)

A specter is haunting Android devices -- the specter of xHelper. 

The xHelper "dropper," which arrives as a Trojan horse hidden in corrupted apps, has infected at least 45,000 Android devices in the past six months, according to a new report from antivirus maker Symantec. For the moment, xHelper downloads and installs (or "drops") nothing more dangerous than annoying adware, but that could change at any time. 

The truly scary part: On many Android devices, xHelper can't be removed. Antivirus apps, system reboots or even factory resets don't seem to be able to always get rid of it. 

A couple of Google Play user-forum commenters reported that xHelper can even turn on the "install apps from unknown sources" feature, which removes the first line of defense against the installation of malicious apps.

We would normally tell you to protect yourself by going into Settings to make sure the "unknown sources" feature is turned off on your phone, to stick to Google Play and to run one of the best Android antivirus apps. But xHelper seems to have found ways around all that. 

You get what you pay for

In August, Malwarebytes reported that it had detected xHelper on 32,000 devices. There shouldn't be much overlap between that number and Symantec's 45,000, indicating that the scope of the xHelper infection may be many times larger.

It's not clear exactly how xHelper maintains persistence, to use industry jargon, but Symantec suspects there may be a hidden malicious system app preloaded on some phones that aids xHelper. The xHelper malware itself is not a standard Android app with the .apk file format, but a machine-readable .dex file that won't show up in the list of installed apps.

Symantec didn't name any phone brands that might be connected to xHelper, but many commenters on Reddit and on Google Play support forums mentioned that they had cheap Chinese-brand phones. 

The names tossed around included Coolpad, Doogee, Hurricane Mobile, Jivi, Micromax, Mobell and Tecno, although some better-regarded brands were also mentioned -- one commenter infected by xHelper claimed to have an HTC One and another a Google Pixel.

"I have a theory that some manufacturers are deliberately installing this malware on your devices to commit fraud or to spy on us or they were also attacked by someone else," wrote Google Play support commenter Onalerona Kgatlane.

What you can do

Several commenters reported success in removing xHelper if they factory-reset their devices, deleted the Google Chrome browser app and set their devices to not automatically update software when connected to Wi-Fi. 

Another reported that the xHelper seemed to be linked to a puzzle game called New2048HD, which no longer appears in the Google Play app store but shows up in third-party markets. 

Malwarebytes also mentioned New2048HD as a likely infection vector. That game is also in the Apple App Store, but there's no indication that there's any infection of iOS devices.

We don't really know yet for sure whether there's hidden code on some devices that installs xHelper. But there have been several instances in the past few years of factory-installed malware or spyware found on cheap Chinese Android phones.

"I guess the moral of the story is don't buy cheap brand phones and only buy top brands or known brands that have been around for years," concluded Google commenter Aubrey Jacobs.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.