xHelper is an Android malware whose security vendor Malwarebytes detected its presence in May 2019.
This is a covert malware removal program. Even after the user restores the factory settings, the malware will be re-infected, causing continuous trouble to users around the world.
Malwarebytes' security researchers have been studying the threat, and in a recent blog post, the team said that, although it has not been clear how the malware reinstalls itself, they have indeed found sufficient information about how it operates. Information to permanently delete it and prevent xHelper from reinstalling itself after a factory reset.
According to the Malwarebytes team, xHelper found a way to use a process in the Google Play Store app to trigger a reinstall operation. With a special directory created on the device, xHelper can hide its Android application package (APK) on disk.
Unlike the app, its directories and files remain on the Android mobile device even after a factory reset. Therefore, the device will continue to be infected until the directories and files are deleted.
Malwarebytes explained in its analysis of the malware, "Google Play is not infected with malware. However, certain events in Google Play triggered a re-infection-there may be something in storage.
In addition, there may be things that use Google Play as a smoke screen, disguising it as a source of malware installation, when it actually comes from elsewhere. "
Method to remove xHelper
It's worth noting that the following removal steps rely on the user to install the Malwarebytes app for Android, but the app is free to use.
The specific deletion steps are as follows:
- Install a file manager from Google PLAY, which can search for files and directories.
- Amelia uses ASTRO's File Manager.
- Temporarily disable Google PLAY to stop reinfection.
Go to Settings> Apps> Google Play Store
- Press the disable button
- Run a scan in Malwarebytes for Android to remove xHelper and other malware.
- Uninstalling manually can be difficult, but the names to look for in the Application information are fireway, xhelper, and Settings (only if two settings applications are displayed).
- Open the file manager and search for anything that starts with com.mufc.
- If found, note the last modified date.
Pro tip: Sort by date in file manager
In ASTRO's file manager you can sort by date under view settings
- Delete everything starting with com.mufc. And anything with the same date (except for core directories such as Download):
- Re-enable Google PLAY
- Go to Settings> Apps> Google Play Store
- Press the enable button