November 19, 2015

Trojanized Adware Family Abuses Accessibility Service

Zoomed in image of smartphone highlighting iOS accessibility menu.

Shedun, a family of trojanized adware, is more sophisticated than many think.

In addition to rooting a victim’s device, Lookout observed Shedun abusing the Android Accessibility Service for its malicious means. Using the accessibility service toolset in the delivery of malware is pretty uncommon, so we took a deeper look. Last week we told you about three trojanized adware families: Shuanet, ShiftyBug, and Shedun. These families root the victim’s device after being installed and then embed themselves in the system partition in order to persist, even after factory reset, becoming nearly impossible to remove. We call it “trojanized adware,” because the end goal of this malware is to install secondary applications and serve aggressive advertising.

Shedun takes its adware a step further.

Not only does it download the unwanted apps, but it actually attempts to install them by tricking a user into enabling Shedun to control the Accessibility Service, which is designed to provide alternative ways to interact with mobile devices. Shedun does not exploit a vulnerability in the service, instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.

The video below shows a sample of Shedun doing just this. After rooting the device, Shedun (likely masquerading as a popular app or system utility), asks the user to turn on the accessibility service. The messaging is ironically misleading:

“[This app] uses accessibility features to help stop inactive apps you aren’t using. You’ll see a standard privacy risk reminder, Please feel at ease about turning it on.”

First, it lies about what accessibility features do (they do not help stop inactive apps, nor do they provide maximum acceleration). Then it attempts to placate the victim to “feel at ease” about turning on the service - sure, trust them, nothing to worry about.

This does require some victim interaction in that she must turn on the accessibility service initially if she falls for the “feel at ease” message. But from there the installation of further apps is automatic.

Shedun then shows the victim a pop-up advertisement for another application. When the victim clicks away from the pop up, the app downloads anyway. As soon as the download is complete, Shedun uses the accessibility service to automatically approve all the permissions for the app and install it--without any additional user interaction.

This isn’t the first time we’ve seen a piece of malware abusing the accessibility service. A Japan-targeted threat also abused the service with the goal of surveilling its victims. Namely, it collected messages from the popular messaging service LINE, when one of these messages was read by the accessibility service.

Shedun likely uses this technique in order to increase its revenue by guaranteeing the installation and execution of advertised applications. After all, marketing companies pay more money for advertising campaigns where the user actually interacts with the application after downloading it instead of simply downloading and forgetting about it. In this case, Shedun takes that choice away, leaving the user angry at the advertised app that they have been forced to experience, while simultaneously taking the money from ad agencies, despite having violated their policies. This class of malware is evolving quickly and we believe we’ll see more sophisticated families surfacing in the future.

Authors

Lookout

Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.

Platform(s) Affected
Android
Threat Type
Malware
Entry Type
Threat Summary
Platform(s) Affected
Android
Malware
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell