TORONTO -- Technology security company Symantec is warning Android users about a “malicious” application called Xhelper that has infected tens of thousands of devices in the past six months that reportedly can’t be removed.

In a blog post Tuesday, Symantec said it had “observed a surge in detections for a malicious Android application that can hide itself from users, download additional malicious apps and display advertisements.”

Symantec says Xhelper is “able to reinstall itself” after Android users uninstall it and is “designed to remain hidden.” Even a factory reset is unable to remove the malware, the company states.

“Xhelper is a service app, which means it exists on the phone but is not visible to the average user,” said May Ying Tee, a Singapore-based software engineer at Symantec, in an email to

“Xhelper does a few malicious actions, from showing advertisements to the users, to downloading and executing more malicious payloads from its remote server onto the users device,” she said.

A malicious or encrypted payload is “where the malware connects to the remote server and downloads more malicious items onto user devices,” Tee said, adding that the company had noticed attempts to hide the malware’s code in encrypted files to avoid detection by malware scanners.

Tee explained that “since the server is controlled remotely, the attacker can literally download anything they wish” onto a user’s device, which makes this malware is “extremely powerful and dangerous.”

Symantec estimates the app has infected over 45,000 devices in the past six months alone, at a rate of about 131 devices “infected each day.” Most of the affected devices have been in the U.S., India and Russia, the blog says.

Tee said that Symantec noticed the malware in March, when an “increasing number of installations” on their customers’ devices caught their attention.

Symantec says the source code of the malware is still a “work in progress.”

Tee said that none of the samples analyzed by Symantec’s investigation showed they were downloaded from apps available on the Google Play Store, which means people could be downloading the malware from “unknown sources.”

“Our telemetry shows signs that there may be another malware that keeps installing Xhelper when it is absent,” she said. “This malware is likely to come pre-installed on user devices, which is something we are currently investigating.”

Symantec’s investigation has led them to believe the malware “may be focusing on specific brands” of phones, but declined to specify which brands they suspected.

Symantec states that its products, as well as Norton products, detect the malware as “Android.Malapp.”

To help protect your devices from getting infected, Symantec suggests users keep their software up to date, recommends only installing apps from trusted sources and to pay attention to “the permissions requested by apps.”