Dubbed xHelper, this malware was first spotted back in March but slowly expanded to infect more than 32,000 devices by August, eventually reaching a total of 45,000 infections this month.
Symantec says the xHelper crew is making on average 131 new victims per day and around 2,400 new victims per month. Most of these infections have been spotted in India, the US, and Russia.
According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.
The trojan doesn't carry out destructive operations yet. According to both Malwarebytes and Symantec, for most of its operational lifespan, the trojan has shown intrusive popup ads and notification spam. The ads and notifications redirect users to the Play Store, where victims are asked to install other apps -- a means through which the xHelper gang is making money from pay-per-install commissions.
XHelper gains access to an Android device via an initial app and installs itself as a separate self-standing service. Furthermore, you can't remove the app, as the trojan reinstalls itself every time, even after users perform a factory reset.