CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Device-Rooting Adware Hidden in 20,000 Android Apps

Researchers at mobile security firm Lookout have come across a new malicious adware family distributed via trojanized versions of popular Android applications.

The new threat, dubbed by the security company “Shuanet,” has been found in numerous Android programs, including Okta’s two-factor authentication application.

Researchers at mobile security firm Lookout have come across a new malicious adware family distributed via trojanized versions of popular Android applications.

The new threat, dubbed by the security company “Shuanet,” has been found in numerous Android programs, including Okta’s two-factor authentication application.

Similar to other recently discovered malicious adware families, such as Kemoge (ShiftyBug) and Shedun (GhostPush), Shuanet is designed to root the infected phone without the user’s knowledge, allowing attackers to gain unrestricted access to the device and prevent the victim from removing the threat.

The security firm has identified a total of over 20,000 popular Android applications containing Kemoge, Shedun and Shuanet. The highest infection rates have been observed in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia.

Attackers have repackaged popular applications taken from Google Play and other app stores and made them available on third-party websites. Many of the repackaged versions are fully functional, which helps them avoid raising suspicion.

While thousands of popular apps have been programmatically repackaged, experts believe malicious actors have specifically excluded antiviruses, which shows a high level of planning.

Lookout researchers believe that while Kemoge, Shedun and Shuanet are not created by the same individual or group, the adware families are linked. Some variants of these threats share between 71 and 82 percent of their code, which indicates that they use the same code base.

Kemoge uses a total of eight exploits to root devices, three of which are also leveraged by Shuanet. It’s worth noting that these exploits are not new and have been used by popular rooting tools.

Advertisement. Scroll to continue reading.

According to experts, removing these threats from a device is not an easy task since once they gain root access they install themselves as system applications. Some consumers might be forced to replace their devices in order to get rid of them. Since the attackers have also targeted enterprise applications such as Okta’s 2FA app, organizations are also at risk.

“While historically adware hoped to convince the user to install new applications by showing banners and annoying pop ups, now it can install these third party apps without user consent. In this way it can heavily capitalize on the Cost Per Install paid out by web marketing companies,” Lookout’s Michael Bentley said in a blog post. “Unfortunately, should the revenue model change on clicks-per-install and ads, this may lead to malware authors using this privilege escalation for new monetization strategies.”

Last month, Palo Alto Networks warned that 18,000 Android applications built using an SDK from a Chinese mobile ad platform had SMS theft capabilities.

iOS users are also at risk. FireEye warned this week that a potentially backdoored version of a popular Chinese ad library has been found in thousands of iOS apps, and that the XcodeGhost malware has been updated to target iOS 9.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.