November 4, 2015

Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire

Auto-rooting adware is a worrying development in the Android ecosystem in which malware roots the device automatically after the user installs it, embeds itself as a system application, and becomes nearly impossible to remove. Adware, which has traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated. This is a new trend for adware and an alarming one at that.

Lookout has detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others.

Malicious actors behind these families repackage and inject malicious code into thousands of popular applications found in Google Play, and then later publish them to third-party app stores. Indeed, we believe many of these apps are actually fully-functional, providing their usual services, in addition to the malicious code that roots the device.

Unlike older types of adware that were obvious and obnoxious, prompting users to uninstall them, this new type of adware is silent, working in the background. These malicious apps root the device unbeknownst to the user. To add insult to injury, victims will likely not be able to uninstall the malware, leaving them with the options of either seeking out professional help to remove it, or simply purchasing a new device.

The act of rooting the device in the first place creates additional security risk for enterprises and individuals alike, as other apps can then get root access to the device, giving them unrestricted access to files outside of their domain. Usually applications are not allowed to access the files created by other applications, however with root access, those limitation are easily bypassed.

Trojanized adware: the story gets bigger

Shuanet OktaOver the past year, Lookout has studied three interconnected families of adware. Lookout discovered the family Shuanet, which, like all of these families, auto-roots the device and hides in the system directory. Kemoge, or what we call ShiftyBug, recently made headlines for rooting the victim’s device and installing secondary payload apps. Another family, Shedun, also referred to as GhostPush, is yet another example of this trojanized adware. While many classify these as simple “adware,” these families are trojans.

Together, the three are responsible for over 20,000 repackaged apps, including Okta’s two-factor authentication app. We are in contact with Okta regarding this malicious repackaging of its app.

At first, we wondered why someone would infect an enterprise two-factor authentication app in order to serve ads, neglecting the opportunity to harvest and exfiltrate user credentials. However, looking at the distribution portion of the command and control server, it appears that these families programmatically repackage thousands of popular apps from first-tier app stores like Google Play and its localized equivalents. Curiously, antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns.

This is why we found thousands of popular repackaged apps available in third-party app stores.

In Okta’s case, Shuanet.a delivers the original app intact, and usable. Usually, most malware that pretends to be a popular app or game imitates the legitimate version in name and icon only. We believe many of Shuanet’s repackaged apps are fully-functional, making it much easier to trick an unsuspecting victim and avoid detection.

The highest detections for these three families together are in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.

The connections

While we don’t believe these apps were all created by the same author or group, we can assume they may be associated in some capacity.

Lookout’s technology and security researchers were able to correlate Shuanet, Shedun, and ShiftyBug after examining samples of the three in our dataset of mobile code. We found that some variants from these families have 71 percent to 82 percent code similarity, meaning that the authors used the same pieces of code to build their versions of the auto-rooting adware. It’s clear the three have at least heard of each other.

The three families also share exploits. In order to root the device, each trojanized adware app uses publicly available exploits that perform the rooting function. ShiftyBug, for example, comes packed with at least eight of them in an effort to enable itself to root as many devices as possible. The following exploits are used by ShiftyBug and Shuanet of the mentioned families:

  • Memexploit
  • Framaroot
  • ExynosAbuse

These are not new exploits, in fact, many of them are used in popular root enablers.

Screen Shot 2015-11-04 at 8.59.46 AM

The repercussions

For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone. Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy.

For enterprises, having rooted devices on the network is a concern, especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app. In this rooted state, an everyday victim won’t have the proper interface to control what apps on the phone request root access. The problem here is that these apps may gain access to data they shouldn’t have access to, given their escalated privileges.

Developers, of course, should be concerned about brand reputation. Legitimate application developers are often unjustly blamed for the malicious actions of malware that repackaged their applications. In reality, both the user and the app developer here are victims of malware.

We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities.

While historically, adware hoped to convince the user to install new applications by showing banners and annoying pop ups, now it can install these third party apps without user consent. In this way it can heavily capitalize on the Cost Per Install paid out by web marketing companies. Unfortunately, should the revenue model change on clicks-per-install and ads, this may lead to malware authors using this privilege escalation for new monetization strategies.

We believe more families of adware trojanizing popular apps will emerge in the near future and look to dig its heels into the reserved file system to avoid being removed.

213 comments
  1. Lo says:

    I’m just curious, how can the users know if their phones got infected? Or everyone should just go for a replacement phone, since there’s no fix?
    Also, how to prevent getting the virus? There’s no point on getting a new phone, if there’s no prevention, in my opinion.

  2. Joshua says:

    hmmm… this is really bad and serious, just wondering what they’ll gain, if factory reset doesn’t remove this… From now on it’s Play store or nothing, admin hope am safe usong only platstore ?

  3. Matt Bryant says:

    Does Lookout or other popular Android Security Apps protect against these? If so can they prevent the infection, or only detect it after the fact? (in which case it sounds like it’s to late)?

  4. Salvador Araujo says:

    so, we must have to have a “clean version” kitkat roms, or the version what we need?

  5. This is a great piece and very enlightening too but as an android geek, such a scenario ain’t totally a new thing, just a modification and sophistication and improvement of the malware overtime. Granted, factory reset might not fix or totally remove them, but flashing the infected devices with the correct and proper firmware will definitely blot out the malware.. . And BTW, this is a really great piece that can save alot of Android users time and stress of having to either replace or spend money to seek professional help.

  6. arana says:

    a factory data reset will remove it from some devices, some devices that the user roots themselves even loose root after a data reset, so it actually depends on the devices.

    • Meghan Kelly says:

      Hi, Arana, unfortunately, in this case the adware will actually persist a factory reset of the infected device.

  7. Aaron says:

    Where are these masquerading apps being downloaded from?

    If not from the Google Play store, then wouldn’t a user have to go into their Android device and check the “Install from unknown sources” box?

    • Meghan Kelly says:

      In most cases, victims would download these malicious apps from third-party marketplaces, which would mean that they would have to have the “install from unknown sources” setting checked.

  8. Mark Clancy says:

    Could you kindly advise users how to determine if their Android devices are compromised by these Trojan exploits? Thanks in advance.

    • Meghan Kelly says:

      Victims will experience obtrusive pop up advertising on their devices, and in some cases, certain families actually download further applications to the device.

  9. German says:

    Yo tengo ese virus en mi celular se descargo de aaptoide¿algún consejo para eliminarlo?

  10. Yrtr says:

    Any way of getting rid of this? A clean wipe and reinstall from pc suite maybe. İ have a asus zenfone 2 infected with this.

  11. David says:

    A good question worth answering is will only downloading apps from the Play Store give us protection? Is Googles checking of the apps before allowing the store sufficient to protect us? If even the good folks at Lookout don’t know, saying so would at least protect us from a false sense of security. Thanks.

    • Meghan Kelly says:

      Hi David, downloading applications from Google Play is generally very safe — Google usually does a good job of vetting these applications — but there have been cases of malware slipping into the store.

  12. Christian Rocha says:

    reinstall the original ROM work?

  13. xxstephxx says:

    Is flashing a new ROM a good option to clean these infected rooted devices?

  14. MartiniGM says:

    A factory reset will obviously not remove the trojan because it is written to the system partition – a part of the storage that is not deleted during a factory reset.

    But formatting all partitions and reflashing the ROM should solve problem. 😉

  15. Eric says:

    What if I format the system and data partitions before flashing a new rom from TWRP?

  16. Steve says:

    Pretty much you would need to reload the Rom back on the phone from a computer. So wipe / reload Rom thru abd.

  17. Bouwe Westerdijk says:

    Will Lookout detect and report these type of infections? Or will these apps be designated as Riskware?

  18. Danielle B says:

    Hi there, I have a dilemma…When we pay around $700.00 for a new device, and various monthly fee’s, have security/Lookout premium always running, and responsibly installing apps…like only from “Samsung” or “Google Play” and this happens…Who should be responsible for the malicious apps/damage to our devices? We read to only install from a “trusted source”, as instructed by our phone manufacturer/service providers. Isn’t it THEIR jobs to release & update security on our devices, staying one step ahead of theservice horrible apps? Most people cannot afford to just keep “buying” another phone, when a bad app weasels it’s way into our private info, violating our personal lives, when we have done all we are able to, to protect ourselves? What is the answer here?

  19. Lo says:

    dear lookout team,
    i have another question: is the malware capable to resist a firmware reinstallation done through fastboot?

    thanks a lot!

  20. Sam says:

    Had one such stubborn malware on my android phone by the name com.goodluck.look of which remained through several factory resets and the only solution that worked for me was installing System app remover on the google play store and thus I’d like to know how are the ones mentioned on the site in terms of persistence?

  21. Xian says:

    These malware cannot be removed by factory resetting the phone, they act as a bloat app (apps that come with the phone) so factory resetting does not remove those in the root of the system. In order to remove them, you have to root your phone and file explorer such as Root Explorer can be used to manually delete them.

  22. Herman says:

    Will the Samsung Knox fuse be burned by this malware root?

  23. Dave says:

    just receive a galaxy tab 2 7.0 from a friend that got the exact symptoms. Done 5 factory reset(from setting menu and stock recovery) with no luck. The article is correct, the (trojan) app register itself as a system app, therefor no antivirus(even installing one from playstore is hard) could erase them since the device is still unrooted.
    Im downloading kies and new firmware now, hope it can help.

  24. Yizhar says:

    Here is the issue I’m confronting: At work we are using MDM software (Maas360) after install from Google Play application named “Wallpaper Saver” I can’t use the MDM anymore as it Trusteer plug-in discover pop-up the Android/Shedun.E!tr.

    1st of all I run my AV (Tren Micro) scan that did not shows any infection
    2nd I run VirusTotal that only should this issue with 1 engine (Fortinet)
    3rd I install within 2 days around 50 different AV apps: all the big, uniq, fast – name it – …but nothing. Even Lookout itself.
    So, It’s looks like completely false positive but Lookout make lots of noise around without any real help even from it on product and we several month already since this article.
    As a company that looks serious in what it does I really expect more.

    • Meghan Kelly says:

      Hi Yizhar, unfortunately, I’m not sure what’s going on here. Would you mind emailing our support team? support [at] lookout [dot] com

      Hopefully they can help pin point what you’re experiencing and help figure out the issue.

  25. rich says:

    My phone keeps trying to install apps eg slick chick , speed wipe etc rang Google and he said I was not telling the truth when I said I have never installed anything from anywhere except play store and was most insulting , none of the antivirus software will stop it from happening several times a day and if I do a factory reset then if the restore partition is infected it will leave my phone without antivirus protection until I reinstall it ! I don’t think I can continue to use Google devices , one due to security issues and two for being insulted and call a lier 🙁

    • Meghan Kelly says:

      Rich, I’m sorry to hear you’re having trouble. If you think you’ve been impacted by this, or another piece of malware, would you reach out to our support team? support [at] lookout [dot] com

  26. kath says:

    City movie download itself I can’t get rid of it help

    • Meghan Kelly says:

      Hi there, sorry to hear you’re having trouble with an app. Would your reach out to our support team with the email address associated with your Lookout account? support [at] lookout [dot] com

  27. Thandy says:

    I have experienced that. I haven’t tried rooting but i gather it has its cons as well. Now I suppose i have to buy a new device. Then I guess its goodbye Android for good. This is really infuriating.

    • Daniel says:

      The only fix I’ve come across is to wipe System Partititon and flash a new ROM. Any Trustable Android geek you know should be able to do this. Be careful though as you run the risk of bricking your device. Don’t think that device ecosystems outside Android aren’t affected. All you need to do to prevent any infection on Android is go into settings and uncheck installation from unknown sources. Or if you need a new device I suggest a Nexus, as those get the latest security patches and Android updates first, before any other OEM (e.g. Samsung, HTC, LG) get their hands on it, being a Google made device after all.

  28. Martin says:

    Hi I am from India. My phone has actually been infected and the pop up is asking me to download uc browser. No antivirus ( have tried many, literally no antivirus) has been able to even detect it. Please , please let me know soon if you come across a solution other than changing the phone

    • Meghan Kelly says:

      Hi Martin, sorry to hear about this. If you think you’ve encountered malware, please reach out to our security team? malware [at] lookout [dot] com

    • Daniel says:

      The only fix I’ve come across is to wipe System Partititon and flash a new ROM. Any Trustable Android geek you know should be able to do this. Be careful though as you run the risk of Bricking your device.

  29. Pat says:

    Hi, victim of Shedun here. Guess I’m pretty cool about getting a new phone considering all this. However, my biggest concern is of the network. Does Shedun have access to the wireless network I use or should the infected phone be the only concern worth noticing? Is it even capable of infecting other devices such as computers, laptops, or tablets, or is it just applicable for smartphones?
    Also, Shedun only focuses on posting ads for monetary gain, right? I don’t have to worry about leaked data or anything? Really paranoid right now. I disconnected the battery from my phone and broke my SD card in two. Lol.

    Thank you in advanced!

    • Meghan Kelly says:

      Hi Pat, thanks for reaching out. Sorry to hear that happened! I sent your note over to our security team, but please feel free to reach out directly: malware [at] lookout [dot] com

  30. What is bricking and how do I know WHICH are my malicious apps when Lookout says all apps are fine? I KNOW I have malware….I have ‘Android updates’ that my boyfriend has NEVER had and my phone needs charging in HOURS. I have forced stopped or uninstalled apps with no luck also. My space is almost full and my Google play store keeps gking up to over 600MB which it has NEVER done before!!! Help PLEASE!! What do I try or do first to Factory reset? Do I have to make a new email also? Thank you for your help. Kimberly

    • Meghan Kelly says:

      Hi Kimberly. Sorry to hear you’re having trouble with your device. Please feel free to contact us at support [at] lookout [dot] com if you think you’ve encountered malware.

      I’m not sure what’s going on with the device, but to address your point about receiving Android updates that your boyfriend hasn’t: this is normal. Android is fragmented, which means there are a lot of versions of Android out there. Software updates are often first delivered to carriers and manufacturers who then release the updates to their customers. This means that if your boyfriend’s phone is made by a different company or is on a different carrier plan, then he may receive updates that you haven’t and vice versa.

      Please do feel free to contact us. Hopefully we can help figure out what’s going on.

Leave a comment