First discovered around a year ago, xHelper has infected roughly 55,000 Android devices around the world. There’s a lot of Android malware around, but xHelper is particularly insidious as it cannot be removed, even if you factory reset your phone. And even the nastiest malware has always been removed by a complete reset.
Now, researchers at Kaspersky have studied the Trojan in depth and have figured out precisely why it’s ‘unkillable’.
What is xHelper on Android?
It typically disguises itself as a system cleanup / tune-up utility and once installed various things happen including granting itself ‘root’ access on your phone (or tablet).
This is very bad news, as root access gives the malware permission to basically do whatever it wants.
And one of the things it does is to download more malware and install it in the system partition, an area of storage which isn’t supposed to be available for apps, and is normally read-only.
Secondly, it sets itself to be ‘immutable’, meaning it cannot be deleted which is one of the key reasons even antivirus apps have a tough time removing it.
Worse still, when it is removed, it can reappear within an hour and continue to wreak havoc on your phone.
If you want to read more about the technical details then have a look at Kaspersky’s blog post. The author, Igor Golovin, a malware analyst, says “xHelper is particularly dangerous because it creates a backdoor that the attackers can use to execute commands as if they’re a superuser, as well as gain access to all app data. A similar backdoor can then be used by other malware, like
CookieThief, to attack the same device. Since xHelper is nearly impossible to remove, it’s important that Android users stay vigilant about what they’re downloading on their phone and always use a strong mobile security software. The good news—if you are downloading apps from official stores, chances of encountering this malware are very, very low”.
How do I uninstall xHelper from Android?
install some good antivirus software. Kaspersky obviously recommends its own apps (including Security Cloud) and says that it successfully blocks the threat from being installed on your phone, but of course there are many others, including
This is the only thing that most people will be able to do, but it is not a guarantee that it will fix your phone.
That’s because there are multiple variants of xHelper and they work in slightly different ways.
Ultimately, the only way to guarantee xHelper will be removed is to do what’s called ‘reflashing the firmware’ on your phone. The firmware mainly contains the Android operating system. When you do a factory reset, all that happens is that your apps, photos and other data is removed.
But nothing is touched in the system partition mentioned earlier, so xHelper is still there to do its dirty work.
Reflashing the firmware is possible if you can download it for your specific phone from the manufacturer’s website to your laptop or PC. And you need to be careful to install the correct firmware for your phone model, so check the precise model number, and not just the broad name of your phone as there can be different versions sold in different regions.
If the manufacturer doesn’t provide software for Windows or macOS to put that firmware on your phone, you’ll need to download something like
Minimal ADB and follow the instructions on that XDA thread to use it.
Another method is to install a file manager app on your phone and manually remove xHelper (and the other malware it has installed). More details can be found on
In rare cases, the firmware from the manufacturer actually contains xHelper, which means you’ll need to track down an alternative ROM for your phone. Fortunately, this has only been observed on lesser-known Chinese phones, and not on any big brand.
Also, infections have tended not to be in Western Europe or the US, but it is still worth running antivirus software and being extremely careful of what you install outside of official app stores.
There are many other reasons
why you should run antivirus software on your Android phone, including to stop fake apps from spying on you and to prevent adware from showing pop-up adverts all the time.