San Francisco-based mobile security company Lookout said it has uncovered a new threat to the Android operating system in the form of malware that disguises itself as a variety of well-known apps — but that actually exposes devices to root attacks and is virtually impossible to remove.
The new malware has been found in software available from third-party app stores. The malware program insinuates itself in legitimate applications such as Twitter, Facebook, Snapchat Candy Crush, Google Now and WhatsApp. Lookout said it was able to identify and isolate about 20,000 malware samples in mobile applications.
Since the malware-infected versions of the apps have only been discovered in copies from third-party app stores, apps acquired from the Google Play Store should be free from the malware.
Perfect Copy
Most of the infected apps work in exactly the same way as the apps they copy, which means detecting the bad ones — and therefore knowing which ones to uninstall — is almost impossible for untrained users. With root access to a phone, the app can download automatically and become ingrained in the phone’s operating system, making it extremely difficult to delete. Once the infected app runs, it pushes ads to the user’s phone.
Unlike previous types of adware that were apparent to all users and easily uninstalled, the new type of adware is dangerous because it works in the background, Lookout said. Because the malware can’t be uninstalled by most users, the company said the primary options for those whose devices have been infected with the malware are either to take their devices to IT professionals or give up and buy new ones.
Lookout said the act of rooting the devices creates additional security risks for enterprises and individuals. Since other apps can get root access to the infected devices, they also get unrestricted access to files outside of their domains. Applications are usually not allowed to access the files created by other applications, but with root access those limitations can be bypassed.
Three Offenders
During the past year, Lookout has studied three related groups of adware: Shuanet, which, like all three groups, auto-roots the device and hides in the system directory; Kemoge, or ShiftyBug, which recently became known for rooting the victim’s device and installing secondary payload apps; and Shedun, also called GhostPush, another example of this trojanized adware. Together, the three are responsible for more than 20,000 repackaged apps, including Okta’s two-factor authentication app.
Antivirus apps appear to have been specifically excluded from the plague of malware, which Lookout said indicates meticulous planning by the creators of the malware campaigns.
The three malware families were most frequently spotted together in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia.
“We believe more families of adware trojanizing popular apps will emerge in the near future and look to dig [their] heels into the reserved file system to avoid being removed,” said Lookout’s Michael Bentley on the company’s blog.
