There's a scary bit of malware floating out there in the wild. Known as xHelper, it's not what the malware does once installed that's so bad, but how it keeps itself installed.
First thing's first. This isn't any sort of rampant infection by any measure. Symantec and Norton both estimate that there are less than 75,000 cases if it in the wild and when you have 2 billion potential victims that's a very tiny percentage.
It's not the numbers of users affected that's troubling but how it's happening.
It's not one of those bad actors that harvests all your data, either. xHelper seems to spam your notifications and change your browser homepage.
It also doesn't come from any apps in Google Play according to every company that's looked into it. Malwarebytes has this to say about it:
The source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.
So far, this sounds like any number of malware episodes that we see far too often. But this is just the regular part of the story. What's so bad about this one is that the malware keeps finding a way to reinstall itself once it's been uninstalled, even if you factory reset your phone.
There are several different theories about how this could be happening. Maybe the actual vendor's code — all instances of xHelper have been found on Chinese-made phones that don't have a big US presence — is infected is one of them. Others think that Chrome is the culprit, as users say uninstalling Chrome is the only way to keep xHelper from coming back.
There are several ways xHelper could be finding its way onto phones. Google Play is not one of them.
Another idea, and the one that makes the most sense to me, is that app data backups through Google's own service contain whatever is needed for xHelper to find its way back into your phone. To top all this off, it keeps finding ways to bypass any security apps including Google Play Protect as it evolves.
How it finds its way back onto infected phones and the potential harm it can cause are concerning. But this whole mess tells us one thing pretty clearly: unless you know how to make sure an app is clean and safe, stick to Google Play for all of your apps.
Let the pros handle things and you'll have less problems when it comes to malware. Google may do some silly things, but when it comes to security the know what's up.
