Android New auto-rooting Android malware infects more than 20,000 apps, impossible to remove from devices

midian182

TechSpot Editor
Staff member

Researchers have discovered a new type of Android malware that often masquerades as a popular application such as Facebook and Twitter. This so-called “trojanized adware” can root a device and install itself as a system application, making removing it almost impossible as the malicious code is designed to survive even a ‘factory data reset’ wipe.

Security firm Lookout said it has found more than 20,000 samples of trojanized apps that repackage the code or other features found in apps from the Google Play store and then get posted to third-party stores. In most cases the apps are fully functional and don’t alert the owner. As well as the aforementioned social media apps, the trojanized adware has also been found in copies of Candy Crush, Google Now, NYTimes, Okta, SnapChat and WhatsApp.

Once one of these apps is installed it gains root access to the Android operating system, which means the app can break out of its restricted sandbox and take control of an entire device, its application and data. The goal of these apps appears to be to aggressively display ads on the devices they infect in order to generate money for the attacker.

"Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy," said the company in a blog post.

The researchers identified three separate families of adware apps that automatically root devices: Shuanet, Kemoge (known as ShiftyBug), and Shudun (or GhostPush). As the infected apps are mostly distributed through third-party stores, users who only download apps from Google Play aren’t at risk.

Many people use third-party stores as they often stock apps not available on Google Play, such as gambling applications. Lookout found the highest number of infections in the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.

"We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities," the researchers said.

Permalink to story.

 

insect

TS Evangelist
But if the app gained root... so can you (with certain command lines or tools). Which means you can do anything you want, including removing this app or formatting your entire phone.

I always gain root ASAP after purchasing a phone with the purpose of removing many system apps from OEMs.
 
  • Like
Reactions: tac0man

Skidmarksdeluxe

TS Evangelist
If these users want to install apps from shady 3rd party sites then tough luck, they should've know better. Why would you want to install any popular app from any other site but the Playstore?
 

RzmmDX

TS Guru
If these users want to install apps from shady 3rd party sites then tough luck, they should've know better. Why would you want to install any popular app from any other site but the Playstore?
Because some sites offer older versions of the app that did not break stuff?
 
  • Like
Reactions: DaveBG

DronicX

TS Rookie
But if the app gained root... so can you (with certain command lines or tools). Which means you can do anything you want, including removing this app or formatting your entire phone.

I always gain root ASAP after purchasing a phone with the purpose of removing many system apps from OEMs.
I think that these trojan apps root the phone and only allow themselves to use root. I seriously doubt that these trojan apps would install SuperSU and pop up a box saying that the trojan app needs root permission. This means that the trojan apps root the phone in a way that does not allow the user to use root.
 

Nobina

TS Evangelist
They forgot that I use Android so I'm already used to having ads and I already have incredible amount of bloatware preinstalled.

I win, hackers.
 
  • Like
Reactions: dan mrkvicka

mgwerner

TS Booster
If these users want to install apps from shady 3rd party sites then tough luck, they should've know better. Why would you want to install any popular app from any other site but the Playstore?
Perhaps there are still some users out there who wish to NOT be like the sheep who limit themselves to the large appstores.

You expect everyone to have your same desires and values, which is simply not a realistic view of the world.
 
  • Like
Reactions: Mech918

Skidmarksdeluxe

TS Evangelist
Perhaps there are still some users out there who wish to NOT be like the sheep who limit themselves to the large appstores.

You expect everyone to have your same desires and values, which is simply not a realistic view of the world.
Oh you're good. Do carry on.
 
Last edited:
  • Like
Reactions: infiltrator

Mech918

TS Rookie
Oh you're good. Do carry on.
@askidmarksdeluxe: I love those that think the victim is always at fault. It's so easy to say they shouldn't have chosen that path if they didn't want the pending problems. After all criminals would never be successful without opertunity. It's sad that you think the victim actually created the criminal by allowing him to act.
 

cracktech

TS Member
Wow far out! They could just obtain root with a few lines of codes? Genius. We had to do summersault and loops just to root our devices. These hackers are heroes! But after we have rooted we could also removed these malware/virus/ and also if we have to , manually remove these files if you know what you are doing.
 

Zahid Iqbal1

TS Rookie
I have antivirus installed in my android, but this is not detected. So how I can avoid this. This is new to me. I have to search on google right now
 

Latest posts