Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Device-Rooting Adware Hidden in 20,000 Android Apps

Researchers at mobile security firm Lookout have come across a new malicious adware family distributed via trojanized versions of popular Android applications.

The new threat, dubbed by the security company “Shuanet,” has been found in numerous Android programs, including Okta’s two-factor authentication application.

Researchers at mobile security firm Lookout have come across a new malicious adware family distributed via trojanized versions of popular Android applications.

The new threat, dubbed by the security company “Shuanet,” has been found in numerous Android programs, including Okta’s two-factor authentication application.

Similar to other recently discovered malicious adware families, such as Kemoge (ShiftyBug) and Shedun (GhostPush), Shuanet is designed to root the infected phone without the user’s knowledge, allowing attackers to gain unrestricted access to the device and prevent the victim from removing the threat.

The security firm has identified a total of over 20,000 popular Android applications containing Kemoge, Shedun and Shuanet. The highest infection rates have been observed in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia.

Attackers have repackaged popular applications taken from Google Play and other app stores and made them available on third-party websites. Many of the repackaged versions are fully functional, which helps them avoid raising suspicion.

While thousands of popular apps have been programmatically repackaged, experts believe malicious actors have specifically excluded antiviruses, which shows a high level of planning.

Lookout researchers believe that while Kemoge, Shedun and Shuanet are not created by the same individual or group, the adware families are linked. Some variants of these threats share between 71 and 82 percent of their code, which indicates that they use the same code base.

Kemoge uses a total of eight exploits to root devices, three of which are also leveraged by Shuanet. It’s worth noting that these exploits are not new and have been used by popular rooting tools.

According to experts, removing these threats from a device is not an easy task since once they gain root access they install themselves as system applications. Some consumers might be forced to replace their devices in order to get rid of them. Since the attackers have also targeted enterprise applications such as Okta’s 2FA app, organizations are also at risk.

“While historically adware hoped to convince the user to install new applications by showing banners and annoying pop ups, now it can install these third party apps without user consent. In this way it can heavily capitalize on the Cost Per Install paid out by web marketing companies,” Lookout’s Michael Bentley said in a blog post. “Unfortunately, should the revenue model change on clicks-per-install and ads, this may lead to malware authors using this privilege escalation for new monetization strategies.”

Last month, Palo Alto Networks warned that 18,000 Android applications built using an SDK from a Chinese mobile ad platform had SMS theft capabilities.

iOS users are also at risk. FireEye warned this week that a potentially backdoored version of a popular Chinese ad library has been found in thousands of iOS apps, and that the XcodeGhost malware has been updated to target iOS 9.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...