TechSpot

New auto-rooting Android malware infects more than 20,000 apps, impossible to remove from devices

By midian182
Nov 6, 2015
Post New Reply
  1. Researchers have discovered a new type of Android malware that often masquerades as a popular application such as Facebook and Twitter. This so-called “trojanized adware” can root a device and install itself as a system application, making removing it almost impossible as the malicious code is designed to survive even a ‘factory data reset’ wipe.

    Security firm Lookout said it has found more than 20,000 samples of trojanized apps that repackage the code or other features found in apps from the Google Play store and then get posted to third-party stores. In most cases the apps are fully functional and don’t alert the owner. As well as the aforementioned social media apps, the trojanized adware has also been found in copies of Candy Crush, Google Now, NYTimes, Okta, SnapChat and WhatsApp.

    Once one of these apps is installed it gains root access to the Android operating system, which means the app can break out of its restricted sandbox and take control of an entire device, its application and data. The goal of these apps appears to be to aggressively display ads on the devices they infect in order to generate money for the attacker.

    "Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy," said the company in a blog post.

    The researchers identified three separate families of adware apps that automatically root devices: Shuanet, Kemoge (known as ShiftyBug), and Shudun (or GhostPush). As the infected apps are mostly distributed through third-party stores, users who only download apps from Google Play aren’t at risk.

    Many people use third-party stores as they often stock apps not available on Google Play, such as gambling applications. Lookout found the highest number of infections in the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.

    "We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities," the researchers said.

    Permalink to story.

     
  2. insect

    insect TS Evangelist Posts: 315   +114

    But if the app gained root... so can you (with certain command lines or tools). Which means you can do anything you want, including removing this app or formatting your entire phone.

    I always gain root ASAP after purchasing a phone with the purpose of removing many system apps from OEMs.
     
    tac0man likes this.
  3. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,475   +2,033

    If these users want to install apps from shady 3rd party sites then tough luck, they should've know better. Why would you want to install any popular app from any other site but the Playstore?
     
  4. RzmmDX

    RzmmDX TS Guru Posts: 303   +59

    Because some sites offer older versions of the app that did not break stuff?
     
    DaveBG likes this.
  5. DronicX

    DronicX TS Rookie

    I think that these trojan apps root the phone and only allow themselves to use root. I seriously doubt that these trojan apps would install SuperSU and pop up a box saying that the trojan app needs root permission. This means that the trojan apps root the phone in a way that does not allow the user to use root.
     
  6. bexwhitt

    bexwhitt TS Addict Posts: 291   +55

    The Nexus devices on marshmallow can't be rooted without changing the kernel
     
  7. Nobina

    Nobina TS Evangelist Posts: 843   +328

    They forgot that I use Android so I'm already used to having ads and I already have incredible amount of bloatware preinstalled.

    I win, hackers.
     
    dan mrkvicka likes this.
  8. mgwerner

    mgwerner TS Booster Posts: 33   +28

    Perhaps there are still some users out there who wish to NOT be like the sheep who limit themselves to the large appstores.

    You expect everyone to have your same desires and values, which is simply not a realistic view of the world.
     
    Mech918 likes this.
  9. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,475   +2,033

    Oh you're good. Do carry on.
     
    Last edited: Nov 8, 2015
    infiltrator likes this.
  10. Mech918

    Mech918 TS Rookie

    @askidmarksdeluxe: I love those that think the victim is always at fault. It's so easy to say they shouldn't have chosen that path if they didn't want the pending problems. After all criminals would never be successful without opertunity. It's sad that you think the victim actually created the criminal by allowing him to act.
     
  11. cracktech

    cracktech TS Member

    Wow far out! They could just obtain root with a few lines of codes? Genius. We had to do summersault and loops just to root our devices. These hackers are heroes! But after we have rooted we could also removed these malware/virus/ and also if we have to , manually remove these files if you know what you are doing.
     
  12. Zahid Iqbal1

    Zahid Iqbal1 TS Rookie Posts: 25

    I have antivirus installed in my android, but this is not detected. So how I can avoid this. This is new to me. I have to search on google right now
     
  13. KlavsPrieditis

    KlavsPrieditis TS Enthusiast Posts: 28

    :D)))

    I`m interested is here anybody who received the virus? Is it really unremovable?
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...