Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Adware Abuses Accessibility Service to Install Apps

A trojanized adware family is capable of automatically installing applications on infected Android devices by abusing the operating system’s accessibility features, mobile security firm Lookout warned on Thursday.

A trojanized adware family is capable of automatically installing applications on infected Android devices by abusing the operating system’s accessibility features, mobile security firm Lookout warned on Thursday.

Shedun (GhostPush), Kemoge (ShiftyBug) and Shuanet are Android adware families that root infected devices in order to prevent their removal and give attackers unrestricted access. Lookout reported earlier this month that the threats, which the company calls trojanized adware because they are designed not only to serve ads but also to install third-party apps, had been found in more than 20,000 popular Android applications.

Further analysis of Shedun revealed that the adware can automatically install third-party apps without the user’s consent. Once it infects a device and gains root access, the threat attempts to convince victims to enable accessibility features because they are allegedly needed by a utility to “help stop inactive apps.” To increase the chances of tricking the user, the message also points out that a “standard privacy risk reminder” will be displayed, but encourages the victim to “feel at ease about turning it on.”

Once the accessibility service is enabled, Shedun displays a pop-up ad for an application. Even if the victim closes the pop-up, the application is downloaded. By leveraging its permission to use the accessibility service, Shedun can read the text on the screen to determine if it’s an app installation dialog, scroll through the permissions list, and press the install button without any interaction from the user.

It’s worth noting that the adware doesn’t exploit any vulnerabilities to complete this task and instead relies on legitimate functionality.

“Shedun likely uses this technique in order to increase its revenue by guaranteeing the installation and execution of advertised applications. After all, marketing companies pay more money for advertising campaigns where the user actually interacts with the application after downloading it instead of simply downloading and forgetting about it,” Lookout explained in a blog post.

“In this case, Shedun takes that choice away, leaving the user angry at the advertised app that they have been forced to experience, while simultaneously taking the money from ad agencies, despite having violated their policies. This class of malware is evolving quickly and we believe we’ll see more sophisticated families surfacing in the future,” the security firm added.

Shedun is not the first Android threat to abuse the operating system’s accessibility features. Earlier this year, Lookout reported spotting a piece of data-stealing malware, AndroRATIntern, that abused the text-to-speech accessibility feature in Android to capture messages from LINE, a popular Japanese communications app.

Related Reading: Android Tablets with Pre-Installed Trojan Sold on Amazon

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.