The Stack Archive

Trojanised adware, including newcomer ‘Shuanet’, infects 20,000 recoded Android apps

Wed 4 Nov 2015

A new report from internet security company Lookout has found that over 20,000 Android apps, including ‘recoded’ versions of legitimate apps such as Facebook, are infected with Trojanised adware that roots Android devices, leaving users with little recourse to either get the devices looked at by security specialists or to abandon it completely.

The extensive spread of the infections are facilitated by malicious actors downloading highly popular third-party apps such as SnapChat, Twitter, WhatsApp, Candy Crush, the NYTimes and GoogleNow, infecting them with one of three strains of similar Trojanised adware, and redistributing them via third-party channels, where the heedless purchaser doesn’t take enough trouble to establish the authenticity of the publisher.

The three families identified by lookout researchers include a newcomer, Shuanet, which joins old non-favourites Kemoge (aka Shiftybug), and Shedun (aka GhostPush). The report points out that though often classified as adware, these families of malware are actually Trojans, since they are able on installation to gain the deepest possible access to the files and permissions of the Android operating system.

The repackaging of the apps appears to be so industrialised and automated as to take in anomalous apps such as the Okta two-factor authentication app – despite the infection making no attempt to access the valuable information which passes through it . The report states ‘At first, we wondered why someone would infect an enterprise two-factor authentication app in order to serve ads, neglecting the opportunity to harvest and exfiltrate user credentials. However, looking at the distribution portion of the command and control server, it appears that these families programmatically repackage thousands of popular apps from first-tier app stores like Google Play and its localized equivalents.’

It also notes that antivirus apps seem to have been deliberately and systematically excluded from this mass-repackaging program, for obvious reasons.

Some of the variants among the three families of Trojanware share between 71-82% of their codebase, indicating that the as-yet unknown authors employed similar code development methods in their diverse builds of the adware.

Though there are common exploits among all variants in all families, the Kemoge family of adware comes with eight separate approaches to rooting the target Android device.

The repackaged apps are highly functional, but serve ads directed by the governing infection’s preferences rather than the app’s native ones. Collectively the three families of app are found most commonly in the United States, Germany, Iran and Russia, among other countries.

The report warns of the great difficulty and potentially prohibitive expense in removing or replacing infected devices, and of the particular potential harm to BYOD-loving businesses, which will now have an app in the fold capable not only of advertising other disreputable software at the end user, but actually installing it without their consent. The report concludes ‘We believe more families of adware trojanizing popular apps will emerge in the near future and look to dig its heels into the reserved file system to avoid being removed.’


Android malware news security
Send us a correction about this article Send us a news tip