Researchers have discovered a brand new strain of dangerous Android adware making its rounds on the web, infecting devices with virtually uninstallable spyware. Once infected, the malware opens the device to root exploits and begins masquerading itself as some of the most popular apps including Facebook, Twitter and Whatsapp.
During research, Lookout found more than 20,000 active samples of infected apps that repackage the code or unique features found in official apps through the Google Play store, where attackers then begin posting them to third-party download markets. From the victim’s prospective, the maliciously-crafted app looks just like the official apps, and in many cases work just the same. However, behind the scenes the malware abuses powerful exploits that allow them to gain root access on the victim’s Android operating system. The exploits allow the malicious apps to install themselves as a system application, giving attackers a highly-privileged status that is usually reserved only for operating system-level processes.
“For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone,” Michael Bentley from mobile security firm Lookout wrote in a blog post published Wednesday. “Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy.”
Lookout researchers analyzing the malware-found in the three app families Shedun, Shuanet, and ShiftyBug-said the apps do a little more then display ads, but given the root privileges they acquire, they have the ability to alter the Android security ecsosystem. Often apps from the Google Play store are ran in a sandboxed format on the device, meaning the apps aren’t allowed to go peeking around the device at user passwords or other personal information. In hindsight, system apps granted root privileges have super-user permission, allowing them to easily evade the sandbox. Once out of the sandbox, root-level apps can then begin to read or modify data and resources that would have normally been off limits.
“At first, we wondered why someone would infect an enterprise two-factor authentication app in order to serve ads, neglecting the opportunity to harvest and exfiltrate user credentials,” Bentley said. “However, looking at the distribution portion of the command and control server, it appears that these families programmatically repacked thousands of popular apps from first-tier app stores like Google Play and its localized equivalents. Curiously, antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns.”
After official apps are downloaded via the Google Play store, they’re repackaged with the malicious code and distributed via third-party websites. Lookout is seeing the highest infection rate hitting the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia. The latest report is another harsh reminder of the dangers of using third-party markets to download Android apps. In good news, there are no reports of these apps breaking into the Google Play store.
The malware is quite dangerous and begins to abuse multiple root exploits so they can be tailored towards specific vulnerabilities present in the infected device. Shiftybug itself is equip with at least eight separate root exploits, most of which are publicly available and are often used in legitimate services that allow Android users to willingly root their device to bypass limitations often imposed by carriers.
It remains unclear what the relationship between the three adware families are. Of the 20,000 samples, variants contained anywhere from 71% to 82 percent of the same code. “It’s clear the three have at least heard of each other,” Lookout researchers said.
“We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities,” Lookout concluded.