A Kaspersky researcher has finally cracked the mystery of how xHelper manages to reappear on Android devices that have been reset. xHelper is a particularly persistent dropper and ad clicker that has infected tens of thousands of Android devices since last year. It doesn’t require any interaction with the user, registers as an unkillable foreground service, follows an automatic restarting cycle if stopped, and manages to reinstate itself on the infected device even if the user performs a factory reset. For this last reason, some suggested that xHelper could even be the result of supply chain attacks on smartphone manufacturers.
Researcher Igor Golovin has analyzed xHelper and figured that it follows a matryoshka-style infection chain, which involves the use of multiple modules for obscurity. xHelper gains root access on Android 6 and 7, and it installs files directly in the system partition, which should typically be out of reach. The data copied to the “/system/bin” and the “/system/xbin” folders include several executable and asset files, like a modified version of the libc.so system library. These are run upon system startup and are backed by the “immutable” attribute, so the malicious process stays unaffected no matter what the user tries to throw at it.
So, removing xHelper doesn’t result in the disinfection of the device, as the malware still has superuser rights to rewrite itself and its files on the system partition, and just stay there indefinitely. One way to oust it would be to enter “recovery” boot mode on your Android smartphone and replace the infected libc.so with a clean version of the file. A simple way to kick xHelper out of your device once and for all would be to perform a fresh system/firmware installation. This way, the system partition is flashed, and all of the malware’s components are wiped.
Remember, the bootloader needs to be unlocked to flash your device. Moreover, you shouldn’t download OS images from anywhere, as there are many sources out there that distribute firmware pre-infected with malware, even xHelper itself. Finally, not all firmware versions are compatible with your specific device, so check the functionality spectrum covered for your model before proceeding with the flashing. If you’re using a device that is still running on Android 6 or 7, maybe it would be time to consider something fresher and more secure anyway.