Researchers have uncovered a new type of Android adware that's virtually impossible to uninstall, exposes phones to potentially dangerous root exploits, and masquerades as one of thousands of different apps from providers such as Twitter, Facebook, and even Okta, a two-factor authentication service.
The researchers have found more than 20,000 samples of trojanized apps that repackage the code or other features found in official apps available in Google Play and then are posted to third-party markets.
From the end user's perspective, the modified apps look just like the legitimate apps, and in many cases they provide the same functionality and experience. Behind the scenes, however, the apps use powerful exploits that gain root access to the Android operating system. The exploits—found in three app families known as Shedun, Shuanet, and ShiftyBug—allow the trojanized apps to install themselves as system applications, a highly privileged status that's usually reserved only for operating system-level processes.
"For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone," researchers from mobile security firm Lookout wrote in a blog post published Wednesday. "Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy."
The Lookout researchers said the apps appear to do little more than display ads, but given their system-level status and root privileges, they have the ability to subvert key security mechanisms built into Android. Under a model known as sandboxing, for instance, Android apps aren't permitted to access passwords or most other data available to other apps. System applications with root, by contrast, have super-user permissions that allow them to break out of such sandboxes. From there, root-level apps can read or modify data and resources that would be off limits to normal apps.
"At first, we wondered why someone would infect an enterprise two-factor authentication app in order to serve ads, neglecting the opportunity to harvest and exfiltrate user credentials," the Lookout researchers wrote. "However, looking at the distribution portion of the command and control server, it appears that these families programmatically repacked thousands of popular apps from first-tier app stores like Google Play and its localized equivalents. Curiously, antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns."
After the apps are downloaded from Google Play, they're repackaged with the malicious code and distributed on third-party websites. Lookout is seeing the highest number of detections in the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia. The report is the latest to underscore the risks of using third-party markets. There are no indications that any of the trojanized apps have made their way into Google Play. Such breaches happen several to dozens of times per year, however, and could prove especially damaging if they included the types of apps Lookout has found.
In many cases, the apps use multiple root exploit so they can be tailored to the vulnerabilities present in the specific phone being infected. ShiftyBug, for instance, is equipped with at least eight separate root exploits. With names including Memexploit, Framaroot, and ExynosAbuse, many of the exploits are publicly available and are often used by legitimate services that allow Android users to root their devices so they can overcome limitations imposed by carriers or manufacturers. Ars previously reported on the reuse of such exploits in a post headlined How a few legitimate app developers threaten the entire Android userbase.
It's not clear what the precise relationship is among the three adware families responsible for the 20,000 adware samples observed by Lookout. Variants from the different groups share anywhere from 71 percent to 82 percent of the same code. "It's clear the three have at least heard of each other," the Lookout researchers concluded.
110 Reykjavik, Iceland