Device-Rooting Adware Hidden in 20,000 Android Apps

Researchers at mobile security firm Lookout have come across a new malicious adware family distributed via trojanized versions of popular Android applications.

The new threat, dubbed by the security company “Shuanet,” has been found in numerous Android programs, including Okta’s two-factor authentication application.

Similar to other recently discovered malicious adware families, such as Kemoge (ShiftyBug) and Shedun (GhostPush), Shuanet is designed to root the infected phone without the user’s knowledge, allowing attackers to gain unrestricted access to the device and prevent the victim from removing the threat.

The security firm has identified a total of over 20,000 popular Android applications containing Kemoge, Shedun and Shuanet. The highest infection rates have been observed in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia.

Attackers have repackaged popular applications taken from Google Play and other app stores and made them available on third-party websites. Many of the repackaged versions are fully functional, which helps them avoid raising suspicion.

While thousands of popular apps have been programmatically repackaged, experts believe malicious actors have specifically excluded antiviruses, which shows a high level of planning.

Lookout researchers believe that while Kemoge, Shedun and Shuanet are not created by the same individual or group, the adware families are linked. Some variants of these threats share between 71 and 82 percent of their code, which indicates that they use the same code base.

Kemoge uses a total of eight exploits to root devices, three of which are also leveraged by Shuanet. It’s worth noting that these exploits are not new and have been used by popular rooting tools.

According to experts, removing these threats from a device is not an easy task since once they gain root access they install themselves as system applications. Some consumers might be forced to replace their devices in order to get rid of them. Since the attackers have also targeted enterprise applications such as Okta’s 2FA app, organizations are also at risk.

“While historically adware hoped to convince the user to install new applications by showing banners and annoying pop ups, now it can install these third party apps without user consent. In this way it can heavily capitalize on the Cost Per Install paid out by web marketing companies,” Lookout’s Michael Bentley said in a blog post. “Unfortunately, should the revenue model change on clicks-per-install and ads, this may lead to malware authors using this privilege escalation for new monetization strategies.”

Last month, Palo Alto Networks warned that 18,000 Android applications built using an SDK from a Chinese mobile ad platform had SMS theft capabilities.

iOS users are also at risk. FireEye warned this week that a potentially backdoored version of a popular Chinese ad library has been found in thousands of iOS apps, and that the XcodeGhost malware has been updated to target iOS 9.