A particularly persistent malware infection has been spreading amongst Android phones — and removing it only seems to bring it back with a vengeance. The Trojan xHelper, which Malwarebytes first wrote about last May, is reportedly re-spawning on devices where it’s already been removed.
Even a factory reset won’t do it — If virus-removal software doesn’t take care of a nasty infection, a hard reset will usually do the trick. But users report that even a full factory reset of an infected device doesn’t wipe xHelper out completely. Within an hour the malware is usually back and ready to wreak havoc.
The culprit: Google's Play Store — Most phone-based viruses are attached to an app that’s been installed by the user, but Malwarebytes has found that somehow the Trojan xHelper is being deployed from the Play Store itself. In order to remove the virus, users must first completely disable the Play Store through Android’s settings. Malwarebytes suggests then running a virus scan and manually removing the virus’s deployment files through a file manager.
Google needs to investigate — As far as Malwarebytes is concerned, this is an entirely new trick for malware to pull. Though it’s well-known that Android uses permanent file folders for the sake of persistence, this virus proves those folders can be tampered with. Google will need to re-examine its persistent folder security and update its mobile OS soon to avoid this method being duplicated by many more hackers in the future.