Conventional wisdom says that the best way to rid yourself of malware is to reset your device to factory defaults and start over.
Security researchers sounded the alarm several months ago after detecting a piece of Android malware that survives factory resets, but no one was able to figure out exactly how it worked. Now, we know, and it’s pretty clever.
The malware, known as xHelper, started appearing on devices early this year with infections concentrated in Russia. It has not appeared in the Play Store because Google’s automated systems would immediately flag it as suspicious. Once installed on a device, xHelper attempts to gain root access, which allows it to modify the system software and set up a backdoor through which it can install other applications.
In February, Malwarebytes confirmed that xHelper could survive factory resets thanks to an undetectable file inside a hidden folder. The file would re-infect the device after each reset, but researchers couldn’t determine how the file got there. Now we know this is the result of a group effort between xHelper and a trojan called Triada that downloads after xHelper has a foothold.
Once installed, Triada manipulates the system partition to add the re-infection framework. It also gives those files special status so they can’t be deleted even by other root functions. Researchers at Kaspersky Labs were even unable to mount the system partition in write mode to remove the malware because Triada modifies important OS libraries.
Luckily, you don’t need to fret about getting this unkillable malware on your phone. As previously mentioned, it’s not spreading via Google Play. The only way to get infected is to sideload APK files from shady third-party websites. Plus, the rooting capabilities of xHelper and Triada only work on Android 6.0 and 7.0 (Marshmallow and Nougat). Newer versions of Android will block xHelper from making any changes to the OS and installing Triada. Ideally, you should always use devices that have current security update support.