More than 20,000 apps auto-root Android devices

New research suggests that auto-rooting adware is continuing to be a worry in the Android environment where malware automatically roots the device after installed by the user. It embeds itself as a system application and becomes almost impossible to remove. 

Adware is now becoming trojanised and sophisticated – a new and alarming trend.

Lookout detected more than 20,000 samples of the trojanised adware disguised as legitimate top applications that include Facebook, Candy Crush, Twitter, Snapchat, WhatsApp and others. Malicious actors repackage and inject malicious code into very many popular applications discovered in Google Play, then later publish them to third-party app stores. Lookout believes many of the apps are fully functional.

This new type of adware is silent and roots the device unbeknown to the user, unlike older types of adware that were obvious and annoying and prompted users to uninstall them. Victims are unlikely to be able to uninstall the malware, forcing them to seek professional help to remove it or, in some cases, purchase a new device.

Rooting the device creates added security risk for businesses and individual users, since other apps can then gain root access to the device, which provides them with unrestricted access to files outside of their domain. With root access, limitations are easily bypassed.

Lookout has studied three related families of adware this past year – Shuanet, Kemoge or ShiftyBug, and Shedun. These families are Trojans although many classify them as simple adware. The three are responsible for over 20,000 repackaged apps.

It appears these families programmatically repackage thousands of popular apps from first tier app stores such as Google Play and its local equivalents. Antivirus apps seems to have been left out, which suggests a high level of planning when creating these malware campaigns. The highest discovery for the three families together are in the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia.

Lookout found that some variants from these families have 71 percent to 82 percent code similarity, so the authors used the same pieces of code to build their versions of the auto-rooting adware—proving that the three have at least heard of each other.

The three families also share exploits. To root the device, each trojanised adware app uses publicly available exploits that perform the rooting function.

Those who get infected with Shedun, Shuanet and ShiftyBug may need to purchase a new device. These pieces of adware root the device and install themselves as system applications so they become almost impossible to remove, forcing victims to replace their mobile device.

Having rooted devices on the network is a concern for businesses if the devices were rooted by a repackaged version of a popular enterprise app. An everyday victim will not have the proper interface to control which apps on the phone request root access. Because of their increased privileges, these apps can gain access to data to which they shouldn't have access.

Lookout expects this class of trojanised adware to continue gaining sophistication in time, leveraging its root privilege to further exploit user devices, allow more malware to gain read or write privileges and better hide evidence of its presence and activities. They believe that more families of adware trojanising popular apps will appear in the near future and dig their way into the reserved file system to avoid removal. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.