What if xHelper infected your phone?

4 min readMar 4, 2021

Remember xHelper? A mysterious piece of android malware that re-installs itself on infected devices even after users delete it or Factory reset their devices. Making it nearly impossible to remove. now we all heard of those stories and Reddit posts like this one.

xHelper is basically a trojan that misleads users of its true intent it’s like an innocent evil that hides its true intent. this trojan registered for infecting over 45k devices over the 6 months period of time in 2019 and is still infecting over 100 devices each day and the number of infected devices are still growing.

so let’s see for consequences and what would happen if you accidentally install xhelper on your device.

it’s a shiny day and you’re just having your fun relaxed time you’re listening to music and browsing the internet and, you accidentally download malware on your phone named as xHelper which doesn’t seem harmful and your curiosity leads you to install this mysterious app.

This app does not have a user interface means the app is not available in the application launcher for you to access. so you’ll not be informed about the tasks it's doing in the background. as you can see in the picture below.

code used to not list the app in launcher (top) code used to list app in launcher (bottom)

xHelper “modifies a system library (libc.so) intending to prevent infected users from re-mounting system partition in the write mode.” libc is the C standard library for the programming of C language (as specified in the ISO C standard) the modification is made in intention of sticking the infected users in the read-only mode of the (system partition is the primary partition that is used as the active boot partition) and as a result, the infected user will not be able to delete the malware.

you might think till this point your firewall would inform you about this malware but that doesn’t seem to be the case here, the malware is skilled at keeping its stealthier presence. It quietly waits for its controller to give it commands and will act accordingly.

One more thing to notice here is xhelper cant be launched manually by the user, the app is launched by the external events which trigger it, “such as when the compromised device is connected to or disconnected from a power supply, the device is rebooted or an app is installed or uninstalled.”

actions to trigger the malware

This gives the attacker full stealth access to the targeted device without any interruption between the session. The app even loads itself as the foreground services lowering its chances get killed by the memory optimizer when there is low memory.

so how do you protect yourself from the malware

How to protect

now I know how boring these steps are but you need to protect your devices from these kinds of malware.

to protect yourself from these types of malware you need to make sure your device is up to date. make sure you are running the most recent version of your operating system.

you should now download the untrusted applications from unknown sources disable download from untrusted sources on your device.

make sure your firewall versions are up to date you should use good quality firewalls.

don’t connect to untrusted networks or if connected make sure you don't download unknown apps from random websites.

Your data is what most important to you so make sure you have a full backup of your important data in a safe place.

So these were the steps I would recommend you to protect yourself online.

Further reading — if you want to find a detailed guide on how this app was operating you should check out these sites






I'm a cybersecurity aspirant currently working on my skills, wannabe hacker.