How can I remove andr/xgen-vc? I did'nt find this malware in internet, exept in an Sophos help file. Several other antimalware does'nt find it at all. Is it a fake?

Thanks for kindly help

  • Hi,

    I have got the same problem as you described.

    I think it was in the beginning of last week, when Sophos Mobile Security found that "Andr/Xgen-VC" file/ malware on my phone.

    I just got the message that this file was found and classified as harmful object. A look on the object details showed that this file/ malware is located in an application called "update" (version 6.2.3), but there are no other options or information given about what to do.

    A research on the internet just showed me the following Sophos website:

    After that I also installed further antimalware software to check, if they also find this file/malware. But they don't.

    In the next step I had a deeper look in my phone settings and applications. The "update" application is listed under system processes, so that I can ‘not deactivate or delete this app. After a while I found out that this "update" application is the application for general system updates of my phone. If I use the path (settings --> about this phone --> system update) there is a pop-up message that Sophos has detected this application as malware.

    So, I don't know how to handle this, but I am glad to read that there is someone in the same situation. I think it would be interesting to know, if it is the same "update" application in both cases, which is detected as malware.



  • Hi Joachim Hoster & Tim Krieger,

    Anr/Xgen-vc is Sophos nomenclature for android based malwares, you may not find any reference with other AV vendors(As they might follow thier own naming methods) or othr sources.

    May I know if you are using Central or On-premise version of Sophos Mobile control?

    - Thanks for the addtional information on this. Will it be possible to provide the log for the detection? (Navigate to Sophos Mobiel security > Menu > log >Check for Security assessment entry)

  • In reply to Tim Krieger:


    auf Grund Ihres Namens nehme ich an, dass ich auf Deutsch antworten kann.

    Ich bin in der gleichen Situation, wie Sie und habe auch andere Antimalware installiert. Danach noch ein Versuch mit Sophos mit dem gleichen Ergebnis.

    Leider kann ich nichts dazu sagen, ob es das gleiche "update" ist.

    Da Sie offensichtlich besser englisch kommunizieren können, bitte ich Sie den Casus weiter zu verfolgen.

    Auch wenn es eine kostenlose Version von "Sophos Mobile Security für Android" war, finde ich es nicht kundenfreundlich, wenn man keine deutlichere Unterstützung durch den Hersteller bekommt. Ich bin daher ebenso froh, dass ich nicht der Einzige bin.

    Mit freundlichen Grüßen,

    Joachim Hoster

    Just in case:

    I'm in the same situation as you and have other antimalware installed. Then another try with Sophos with the same result.

    Unfortunately I can not say anything, if it is the same "update".

    Since you obviously can communicate better English, I ask you to pursue the case further.

    Although it was a free version of "Sophos Mobile Security for Android", I find it not customer friendly unless you get clearer support from the manufacturer. So I'm just as glad that I'm not the only one.

    Best regards,

  • In reply to Gowtham Mani:

    I have  the same problem since yesterday, when I started some updates manually. It keeps popping up with every automatic scan. But as Tim observed this is the system update which I cannot delete and Sophos doesn't let me.

    In what is called in German "Protokoll" (I suppose this is what you mean by Menu > log ) it says it didn't find any threat or PUAs today.

    I also installed another security app that didn't detect this"threat". So Sophos better update their database and help us!!!

    Funny: is this only a problem in the German version of the app ???

  • In reply to Gowtham Mani:


    thanks for your answer. I for myself am using Sophos Mobile Security, so the Sophos freeware. I am not sure if this is the answer to your question if I am using Central or On-premise version of Sophos Mobile Control because I think there is a difference between Mobile Control and Mobile Security.

    According to the log entry:

    When I had a look in the log for that entry, I first could not find any entry where the detection of that malware was mentioned. The reason for this is, that there is no malware or PUA detected during the daily scheduled scan. But when I perform a manual scan the malware is detected. The according log entry is:

    “Threat "Andr/Xgen-VC" was found in app "Update" (”

    (I am using the German version of this app, so the text above is my own English translation, and so it might not be exact the same as in the English version of the app.)

  • In reply to Tim Krieger:

    Hi Tim Krieger,

    This is something that we would like to investigate further with the logs from the respective device. The best course would be to open a support case (Anyone with a non-free version of Sophos Mobile security) so that we can move forward with this detection.

    If Anyone already has a support case open, please DM the details.

  • In reply to Gowtham Mani:

    [#8244402] is my Web support query

    Gertrud Szilinsky

  • In reply to G Szilinsky:

    Actually, I really liked the mobile app from Sophos.

    I had an unsuccessful attempt to communicate directly with Sophos by phone and open a case. I tested several antimalware and installed Sophos one last time. After that I decided for another product.

    Unfortunately, I can not serve with a logfile anymore.

    I wish all concerned good luck in finding the cause for the wrong message, my first guess (see my beginning of this thread).


    Joachim Hoster

  • In reply to Joachim Hoster:

    Hi everyone,

    would it be possible to get details regarding the devices in use (Manufacturer & model) and the currently installed firmware version?
    Our Labs team is currently investigating this issue and requires this information.

    Thank you in advance


  • In reply to SDU:


    good to hear that you’re working on this issue. I am using the Gigaset GS270 plus with android version 7.0. The actual installed firmware version is “GIG_GS270_plus_S120”.

    Earlier this morning I also communicated with Joachim Hoster via private message and so I know that he is also using the Gigaset GS270 plus with android version 7.0.




  • In reply to SDU:

    Seems to be a Gigaset problem: I have a Gigaset GS170, Android 7.0, Build GIG_GS170_S110, Kernel 3.18.35+, Baseband-Version MOLY.LR9.W1444.MD.LWTG.MP.V110.5.P33 2017/11/14

    [#8244402] Web support query won't help me, because it doesn't apply to the free version

  • In reply to SDU:

    Hi Stefan,

    GS270 plus

    android 7.0

    Baseband ver. MOLY:LR11.W16.30.MD.MP.V16.3.P17, 2018/05/08

    Kernel ver. 3.18.35+

    Build GIG_GS270_plus_S120


    I ask for help though I have a freeware version.

    Thank you in advance,


  • In reply to Joachim Hoster:

    Hi everyone,

    thank you for the device details.
    I have forwarded them to our Labs team for further investigation.
    Once I get additional information from them, I will update this thread.

    Best regards

  • In reply to SDU:

    So another five days have passed. Are there any solid news on this yet? Still getting the same results here.

    Is there an ETA as to when this will be resolved? What's the current status of this? Are more tickets necessary or will this issue be taken care of via the information you forwarded to the "labs team".

    I'm running a Sophos UTM home license and was very happy with the product. It led me to believe Sophos is a trustworthy and experienced security company but so far I'm utterly disappointed by the handling of this issue.

    1. First of all do you realize that Sophos Mobile Security (SMSecurity from now on) is currently blocking the updater component for all of the affected devices? Currently you are denying security upgrades for affected devices - in other words Sophos Mobile Security makes those devices less secure. Why? And why the relaxed approach to resolve this brand wide issue?
    2. Secondly the app (SMSecurity) does not allow whitelisting apps. The Manage Allowed Apps feature does not work - it only has a trashcan icon, no icon to add apps.
    3. Third, once "detected" SMSecurity will not forget about that - even if you DISABLE scanning system apps or blocking PUAs as well as running a new manual scan.
    4. Also the scanner itself cannot be disabled! Even if you disable all checkmarks in the scanner settings the scanner shows itself as still active.
    5. Next is why the hell is the software so restrictive about PUAs anyways. The definition of PUA is potentially unwanted application. Please make sure you are correct on the labeling
    6. Furthermore this issue affects all devices from gigaset. In my case a GS370 Plus - the severity is very high, the response time very poor. Nothing even close I am expecting from a security company trying to keep my device up to date and secure.
    7. Sixth is I have to doubt that the setting Data Tracking works for the benefit of the user if all this can be seen in plain daylight and nothing is done. Putting the security of affected devices at SERIOUS risk.
    8. The information on the "scan result" is not helpful at all. "Malicious object > Threat Andr/Xgen-VC identified". What's making me more secure now based on that information?
      Is it being blocked? Removed? Quarantined? Allowed? Can I whitelist it?
      The info on the "More Details..." page is useless again. It's a search on for andr~xgen-vc!
    9. How does the app handle exceptions and issues? How can I report issues? Even the help section is broken (not sure if always but when I last checked it gave me: "Help is currently unavailable. Please try again later."
      I expect a lot more from a security tool and especially the incident process.

    One threat or PUA found.
    Security assessment; 2018/07/27 01:01:35; com.gigaset.helpapp added to security assessment
    Scanner; 2018/07/27 01:01:17; Threat 'Andr/Xgen-VC' was found in app 'Upgrade' (
    Security assessment; 2018/07/27 01:01:16; with threat Andr/Xgen-VC added to security assessment
    Scanner; 2018/07/27 00:59:51; Virus definitions updated to version 3.72.42:2018072512.


    Please forward this to the team and act on this issue. The android landscape is very diverse - it takes decent processes to keep up with it. App signature scans are not the solution.

  • In reply to SDU:

    Anything new?

    It's quite some time now since we forwarded our details!!