Intrusive Android Adware Installs Itself Even When Explicitly Denied Permission
Just two weeks ago we reported a new Android malware discovered that was virtually impossible to uninstall. Now researchers have found even more frighting malware that can install itself even when explicitly denied permissions from the end user.
The hijacking occurs after the victim has installed the malicious app that masquerades itself as an official app available through the Google Play store and is then made available on third-party markets. During the installation, apps from an adware family known as Shedun try to coax people into granting the app control over the Android Accessibility Service, a feature designed to provide vision-impaired users alternative ways to interact with their mobile smartphones. The app tries gaining access to such control by displaying dialogs claiming the app will block intrusive advertisements.
Once the app is installed, it has the ability to display popup ads that install other sets of highly intrusive Android adware. Even in cases where a user rejects to install the adware or takes no action, the Shedun-laced app takes control over the accessibility service to install the adware anyway.
“Shedun does not exploit a vulnerability in the service,” researchers from mobile security firm Lookout said in a blog post published Thursday. “Instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.”
Lookout researchers published a video demonstrating the apps forced installation:
As previously reported, Shedun is one the several Android adware families that is not easily removed. This is due to the apps silently rooting the device and then embedding themselves within the system partition to ensure persistence even if after a factory reset. Lookout researchers referred to the family as “trojanized adware” because its main goal is to install third-party applications and serve extremely aggressive advertisers.
The adware family’s use of social engineering to hijack the Android Accessibility Service is ingenious, categorizing this into a new wave of malicious apps. As always, we urge you all to avoid third-party markets at all costs, the risks greatly outweigh the benefits. You should also remain highly suspicious if any apps begin to ask for control of the Android Accessibility Service.
