Malware, Vulnerability Management

Meet the Android rooting adware that cannot be removed

Researchers have identified a new strain of malicious adware that is impossible for affected Android device owners to uninstall.

Researchers at Lookout, a San Francisco-based mobile security firm, found 20,000 third-party apps outside of the Google Play Store that are disguised as popular apps like Okta, Facebook, Twitter, WhatApp, and NYTimes. The apps maintain some of the functionality of the applications that they masquerade as, but they also launch treacherous adware campaigns that root the device for persistence and install a dropper, without the user's permission.

Michael Bentley, head of Lookout's research and response team, said the team found a similar pattern of behavior across three families of adware – Shuanet, Shedun, and ShiftyBug.

The adware enters into the system directory, something that the user typically is unable to access, and cannot be removed.

This new strain of apps blurs the distinction between adware campaigns and more maliciously targeted malware campaigns. Bentley told that the apps are strictly defined as adware, but effectively function as Trojan malware. Once the adware has rooted, device owners will “very likely going to need to replace their phone,” he said.

Even if the user completes a factory reset on the device, the device will reset with the malicious adware still running. Since a rooted device gives attackers access to the entire system, the user's data and private information is highly vulnerable.

Bentley said the attackers are not currently using these vulnerabilities to launch more malicious attacks. “That's typically a different type of actor,” he said. The adware creators currently have a revenue model that works. However, he asked, “what if their revenue model changes?”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.