SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
6 Nov 2015

New type of auto-rooting Android adware is nearly impossible to remove

Researchers have uncovered a new type of Android adware that's virtually impossible to uninstall, exposes phones to potentially dangerous root exploits, and masquerades as one of thousands of different apps from providers such as Twitter, Facebook, and even Okta, a two-factor authentication service.

The researchers have found more than 20,000 samples of trojanized apps that repackage the code or other features found in official apps available in Google Play and then are posted to third-party markets.

From the end user's perspective, the modified apps look just like the legitimate apps, and in many cases they provide the same functionality and experience. Behind the scenes, however, the apps use powerful exploits that gain root access to the Android operating system. The exploits—found in three app families known as Shedun, Shuanet, and ShiftyBug—allow the trojanized apps to install themselves as system applications, a highly privileged status that's usually reserved only for operating system-level processes.

"For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone," researchers from mobile security firm Lookout wrote in a blog post published Wednesday. "Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy."

The Lookout researchers said the apps appear to do little more than display ads, but given their system-level status and root privileges, they have the ability to subvert key security mechanisms built into Android. Under a model known as sandboxing, for instance, Android apps aren't permitted to access passwords or most other data available to other apps. System applications with root, by contrast, have super-user permissions that allow them to break out of such sandboxes. From there, root-level apps can read or modify data and resources that would be off limits to normal apps.

"At first, we wondered why someone would infect an enterprise two-factor authentication app in order to serve ads, neglecting the opportunity to harvest and exfiltrate user credentials," the Lookout researchers wrote. "However, looking at the distribution portion of the command and control server, it appears that these families programmatically repacked thousands of popular apps from first-tier app stores like Google Play and its localized equivalents. Curiously, antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns."

After the apps are downloaded from Google Play, they're repackaged with the malicious code and distributed on third-party websites. Lookout is seeing the highest number of detections in the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia. The report is the latest to underscore the risks of using third-party markets. There are no indications that any of the trojanized apps have made their way into Google Play. Such breaches happen several to dozens of times per year, however, and could prove especially damaging if they included the types of apps Lookout has found.

In many cases, the apps use multiple root exploit so they can be tailored to the vulnerabilities present in the specific phone being infected. ShiftyBug, for instance, is equipped with at least eight separate root exploits. With names including Memexploit, Framaroot, and ExynosAbuse, many of the exploits are publicly available and are often used by legitimate services that allow Android users to root their devices so they can overcome limitations imposed by carriers or manufacturers. Ars previously reported on the reuse of such exploits in a post headlined How a few legitimate app developers threaten the entire Android userbase.

It's not clear what the precise relationship is among the three adware families responsible for the 20,000 adware samples observed by Lookout. Variants from the different groups share anywhere from 71 percent to 82 percent of the same code. "It's clear the three have at least heard of each other," the Lookout researchers concluded.

Tags:
Android information leaks
Source:
Ars Technica
2029
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015