Researchers have discovered a new type of Android malware that often masquerades as a popular application such as Facebook and Twitter. This so-called “trojanized adware” can root a device and install itself as a system application, making removing it almost impossible as the malicious code is designed to survive even a ‘factory data reset’ wipe.
Security firm Lookout said it has found more than 20,000 samples of trojanized apps that repackage the code or other features found in apps from the Google Play store and then get posted to third-party stores. In most cases the apps are fully functional and don’t alert the owner. As well as the aforementioned social media apps, the trojanized adware has also been found in copies of Candy Crush, Google Now, NYTimes, Okta, SnapChat and WhatsApp.
Once one of these apps is installed it gains root access to the Android operating system, which means the app can break out of its restricted sandbox and take control of an entire device, its application and data. The goal of these apps appears to be to aggressively display ads on the devices they infect in order to generate money for the attacker.
"Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy," said the company in a blog post.
The researchers identified three separate families of adware apps that automatically root devices: Shuanet, Kemoge (known as ShiftyBug), and Shudun (or GhostPush). As the infected apps are mostly distributed through third-party stores, users who only download apps from Google Play aren’t at risk.
Many people use third-party stores as they often stock apps not available on Google Play, such as gambling applications. Lookout found the highest number of infections in the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.
"We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities," the researchers said.