An Android malware application has been discovered reinstalling itself even after a factory reset.

Malwarebytes is a cybersecurity firm that was contacted by an Android user who was having trouble removing a particularly nasty and persistent malware, xHelper. No matter what the user did, the malware kept reinstalling itself, even after a factory reset.

Malwarebytes’ researchers initially thought it might be a preinstalled malware, since the device was not from a mainstream manufacturer. Lesser-known manufacturers have been known to have malware preinstalled on their devices. Even taking that into consideration, however, the malware continued reinstalling.

Ultimately, the researchers realized the reinfections were being triggered by Google Play, even though the malware is not on Google Play. Even when an Android device is reset, unlike applications, files and directories remain. In one of those directories, the researchers found an Android application package (APK) that seemed to be triggered by Google Play. Once triggered, it would install, run and then uninstall itself to minimize the chance of being detected. In those few seconds it was installed, however, it would reinfect the phone with the xHelper malware, which would then install even more malware.

Malwarebytes entire report is well worth a read—especially the instructions on how to remove the malware. It remains to be seen, however, exactly how the malware is using Google Play as a trigger.