| Researchers July 6, 2016

July 6, 2016

A spike in Shedun, also known as HummingBad

By Kristy Edwards

There is a particularly dangerous family of malware, known as Shedun, which Lookout discovered and first reported last November. Shedun is trojanized adware that roots Android devices, masquerading as legitimate apps such as Facebook, Twitter, WhatsApp and Okta’s enterprise single sign-on app. Three similar families are associated with Shedun: Shuanet, ShiftyBug, and one we later discovered, BrainTest.
To make matters more confusing, different vendors have different names for Shedun. You may have heard Shedun called HummingBad, Hummer, or ANDROIDOS_LIBSKIN, or right_core (the APK name). Recent reports on HummingBad raise alarms of a malicious and widespread family one of our competitors claims to have first discovered in February 2016. This is the same as Shedun, which we discovered several months before then, in November 2015. This family is extremely malicious, but it is not new.
What is New
We have observed a recent spike in Shedun detections on Lookout’s mobile threat network. We believe this is attributable to the authors building new functionality or distributing the malware in new ways.
Shedun detections spiked over 300% in March, and further spiked over 600% in the past month. Shedun detections spiked over 300% in March, and further spiked over 600% in the past month.
Shedun and the related families follow a particular pattern — they are adware that silently roots devices, allowing them to remain persistent even if the user performs a factory reset. Shedun also uses its root privileges to install additional apps onto the device, further increasing ad revenue for the authors and defeating uninstall attempts.
Lookout customers are protected from Shedun, also known as HummingBad and Hummer, as they have been since we discovered it last Fall.


Kristy Edwards,
Director, Product Management - Security

Leave a comment



Terri Mills says:

November 09, 2016 at 2:31 pm

You DO NOT protect from nor prevent this Shedun from happening to a device. I am still going through hell daily dealing with this and all you can say is basically "sorry 'bout your luck". It sucks because I only download from google play store and I still got this infection or whatever and I don't have any resourses to replace my Galaxy. But thanks for keeping me updated through email. You guys do keep on trying that's for sure.

Meghan Kelly says:

December 07, 2016 at 10:37 am

Hi Terri, I'm sorry you're having trouble here. Would you reach out to our support team? Want us to vet to make sure you're encountering Shedun and understand a bit more about what's going on. Hopefully we'll be able to help. Thank you and please include the email address associated with your Lookout account: support [at] lookout [dot] com

Steve Freedkin says:

July 10, 2016 at 8:52 am

Is that correct — that software like HummingBad persists even *after* factory reset? So if a device is infected, the *only* option is to replace it?

Meghan Kelly says:

August 15, 2016 at 9:43 am

Hi, Steve, Unfortunately, Shedun can persist after a factory reset in some cases. A victim can take a device to a specialist (unless they have the technical knowledge themselves) to have a new ROM flashed to the device.