A known virus is able to circumvent even a cell phone format to re-infect Android smartphones. The xHelper Trojan horse was first discovered in May 2019, but a Malwarebytes analysis published last Wednesday (12) shows that it still represents danger: even though it has been identified by the main antiviruses, it insists on returning to the cell phone of the victim.
READ: Safe Internet Day: five actions forbidden to protect yourself online
The case was discovered after a Malwarebytes antivirus user opened a complaint with the company. That's when technicians started a series of tests to try to find out why the Trojan it returned even after it was deleted or after a complete restoration on the cell phone was performed. According to the report, the threat appears in just an hour after it is supposed to have been removed. According to experts, the behavior is linked, in some way, with the Google Play Store.
How to remove viruses on an Android phone
Want to buy cell phones, TV and other discounted products? Meet Compare TechTudo
The first hypothesis was that the malware came pre-installed on the cell phone, but the experts discarded it in the first analyzes. The surprise came when, in one of the experiments, xHelper ceased to appear once the Android store had been disabled. The Google Play Store app itself was not infected, but some element of the software caused the Trojan horse to reappear.
It is not yet known how xHelper uses Google's services to infect the victim's cell phone again. Malwarebytes suspects that some basic function of the application signals external servers that the malware has been removed, causing a new download of the Trojan horse.
Once downloaded, it would be able to install itself, run its malicious code and then automatically remove itself to avoid detection. Files left behind and kept after formatting would play a crucial role in the reinfection process.
Virus for Android reinstalls itself with possible help from the Google Play Store Photo: Luciana Maline / TechTudo
According to Malwarebytes, to remove xHelper from the phone, the user must disable the Google Play Store, run the antivirus and remove the malware. Then, you must use a file manager and find the items with names that begin with "com.mufc".
All such files must be removed manually, as well as other directories installed at exactly the same date and time. The Google Play Store can be reactivated normally afterwards. Malwarebytes does not specify the version of Android or the phone model on which the procedure was tested.