Several months ago, the Android Trojan “xHelper” infected tens of thousands of devices, and was unable to be removed even after a factory reset of the phone. With the help of the user “misspaperwait,” Malwarebytes was recently able to discover how xHelper was able to repeatedly infect devices, leading to a solution for removing the Trojan completely. Using the file explorer app, search for any files or folders on the device starting with “com.mufc.” That is the beginning of the package name for each xHelper variant. Hidden inside each of the directories that start with “com.mufc.” is an Android app file that is responsible for installing new malware. Unfortunately, this app created new questions about the infection process. It was not installed on the device; it was only present in the device storage. This led the researchers to believe the app was being installed due to a trigger by Google Play, dropping new malware and then uninstalling itself within seconds. The technical details of the method for using Google Play to reinstall the malware are still currently unknown. However, removing the directories was enough to remove the persistent Trojan.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased