Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Persistent Android Trojan xHelper Now Removable

Several months ago, the Android Trojan “xHelper” infected tens of thousands of devices, and was unable to be removed even after a factory reset of the phone. With the help of the user “misspaperwait,” Malwarebytes was recently able to discover how xHelper was able to repeatedly infect devices, leading to a solution for removing the Trojan completely. Using the file explorer app, search for any files or folders on the device starting with “com.mufc.” That is the beginning of the package name for each xHelper variant. Hidden inside each of the directories that start with “com.mufc.” is an Android app file that is responsible for installing new malware. Unfortunately, this app created new questions about the infection process. It was not installed on the device; it was only present in the device storage. This led the researchers to believe the app was being installed due to a trigger by Google Play, dropping new malware and then uninstalling itself within seconds. The technical details of the method for using Google Play to reinstall the malware are still currently unknown. However, removing the directories was enough to remove the persistent Trojan.

Analyst Notes

Android device owners are highly encouraged to only install apps from the Google Play store to minimize the chances of infection. While Google does have protections in place, it is always possible for malicious apps to sneak through the mostly automated verification process. Most malware that manages to sneak into Play store listings will attempt to disguise itself as other popular apps. Pay close attention to application publishers and only install apps from trusted publishers when possible. To remove xHelper from an infected device, temporarily disable the Play store through Android’s settings and scan the device with an anti-virus app. Then, with a file browsing app, search for any directories starting with “com.mufc.” and delete them. Google Play should now be safe to re-enable and the xHelper should no longer be able to automatically re-infect the device.