Trojanized Adware Floods Third-Party Android App Stores - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Applications
Commentary
11/7/2015
12:05 PM
Larry Loeb
Larry Loeb
Commentary
50%
50%

Trojanized Adware Floods Third-Party Android App Stores

New security research from Lookout suggests that several strains of trojanized adware are targeting third-party Android app stores. The safe bet is to use Google Play.

iOS vs. Android: What’s Best For Enterprise Security?
iOS vs. Android: What's Best For Enterprise Security?
(Click image for larger view and slideshow.)

Lookout, a San Francisco-based security firm, released new security research this week that found adware targeting Android that is both dangerous in its approach and widespread.

Michael Bentley, Lookout's head of research and response, wrote in a Nov. 4 blog: "Adware, which has traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated. This is a new trend for adware and an alarming one at that."

This trojanized adware was evidently downloaded from third-party app stores, rather than Google Play, the official Google app store for Android. This means there was a different vector of infection than the XGhostCode malware which snuck by Apple's App Store.

Bentley also noted in his blog:

Lookout has detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others. […] Indeed, we believe many of these apps are actually fully-functional, providing their usual services, in addition to the malicious code that roots the device.

(Image: JasminSeidel/iStockphoto)

(Image: JasminSeidel/iStockphoto)

Rooting the device in this case means that there is no way to simply uninstall the malware. It is disguised as a system app.

The Lookout research suggests that the only way a user can regain a normal device is by seeking out professional help or purchasing a new smartphone -- an expensive proposition. A factory reset won't do it. Whoever sold the phone may be able to convince the manufacturer to do an operating system reflash, which may solve the problem.

This is a new kind of adware, one that works in the background instead of being noisy, obnoxious, and clearly right in your face. Through the root access it gains, this adware allows other applications to do whatever it wants them to do inside Android. For example, the Adware can install other apps on its own.

[Read Android, Chrome OS Merger: Why It Makes Sense.]

Lookout has identified three distinct, but interconnected strains of this kind of trojanized adware: Shuanet, Kemoge (ShiftyBug), and Shedun (GhostPush). These three strains have been found in the several different countries, with the greatest number of detections found in the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.

Lookout examined all three strains and found 71% to 82% code similarity. They also used some of the same exploits to do rooting, including Memexploit, Framaroot, and ExynosAbuse. However, the researchers don't think that they have been created by the same author or group, but said they can assume they may be associated in some capacity.

It seems that, given the prevalence of this malware, only apps downloaded directly from the Google Play store can be trusted. Following this security measure has long been advocated by many, but often ignored. In light of this new research, those who use an Android device must suspect that all third-party hosted apps may be compromised.

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
larryloeb
50%
50%
larryloeb,
User Rank: Author
11/9/2015 | 2:36:29 PM
Re: root
Yeah, this is a major hosing of Android. And because it is so stealthy, you may have already installed one and not even known it.

When Apple tried to implement its glass-walled garden of apps with the App Store, many jeered; thinking it was just a revenue move by them. I think it was how they were trying to avoid just this sort of infection vector.
mak63
50%
50%
mak63,
User Rank: Ninja
11/9/2015 | 1:18:13 PM
root
Lookout has detected over 20,000
Wow. This is certainly bad news. I use some third party app stores, besides Play. So, I'm at risk. Gotta be more careful from now on.
Most of the rooted devices have su or suoersu installed. So, when apps like facebook or whatsup want to gain root, it's clearly synonymous of something fishy is going on.
It is disguised as a system app.
It's not recommended, but you can uninstall some system apps in a rooted device.
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll