Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire

Auto-rooting adware is a worrying development in the Android ecosystem in which malware roots the device automatically after the user installs it, embeds itself as a system application, and becomes nearly impossible to remove. Adware, which has traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated. This is a new trend for adware and an alarming one at that.

Lookout has detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others.

Malicious actors behind these families repackage and inject malicious code into thousands of popular applications found in Google Play, and then later publish them to third-party app stores. Indeed, we believe many of these apps are actually fully-functional, providing their usual services, in addition to the malicious code that roots the device.

Unlike older types of adware that were obvious and obnoxious, prompting users to uninstall them, this new type of adware is silent, working in the background. These malicious apps root the device unbeknownst to the user. To add insult to injury, victims will likely not be able to uninstall the malware, leaving them with the options of either seeking out professional help to remove it, or simply purchasing a new device.

The act of rooting the device in the first place creates additional security risk for enterprises and individuals alike, as other apps can then get root access to the device, giving them unrestricted access to files outside of their domain. Usually applications are not allowed to access the files created by other applications, however with root access, those limitation are easily bypassed.

Trojanized adware: the story gets bigger

Shuanet OktaOver the past year, Lookout has studied three interconnected families of adware. Lookout discovered the family Shuanet, which, like all of these families, auto-roots the device and hides in the system directory. Kemoge, or what we call ShiftyBug, recently made headlines for rooting the victim’s device and installing secondary payload apps. Another family, Shedun, also referred to as GhostPush, is yet another example of this trojanized adware. While many classify these as simple “adware,” these families are trojans.

Together, the three are responsible for over 20,000 repackaged apps, including Okta’s two-factor authentication app. We are in contact with Okta regarding this malicious repackaging of its app.

At first, we wondered why someone would infect an enterprise two-factor authentication app in order to serve ads, neglecting the opportunity to harvest and exfiltrate user credentials. However, looking at the distribution portion of the command and control server, it appears that these families programmatically repackage thousands of popular apps from first-tier app stores like Google Play and its localized equivalents. Curiously, antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns.

This is why we found thousands of popular repackaged apps available in third-party app stores.

In Okta’s case, Shuanet.a delivers the original app intact, and usable. Usually, most malware that pretends to be a popular app or game imitates the legitimate version in name and icon only. We believe many of Shuanet’s repackaged apps are fully-functional, making it much easier to trick an unsuspecting victim and avoid detection.

The highest detections for these three families together are in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.

The connections

While we don’t believe these apps were all created by the same author or group, we can assume they may be associated in some capacity.

Lookout’s technology and security researchers were able to correlate Shuanet, Shedun, and ShiftyBug after examining samples of the three in our dataset of mobile code. We found that some variants from these families have 71 percent to 82 percent code similarity, meaning that the authors used the same pieces of code to build their versions of the auto-rooting adware. It’s clear the three have at least heard of each other.

The three families also share exploits. In order to root the device, each trojanized adware app uses publicly available exploits that perform the rooting function. ShiftyBug, for example, comes packed with at least eight of them in an effort to enable itself to root as many devices as possible. The following exploits are used by ShiftyBug and Shuanet of the mentioned families:

  • Memexploit
  • Framaroot
  • ExynosAbuse

These are not new exploits, in fact, many of them are used in popular root enablers.

Screen Shot 2015-11-04 at 8.59.46 AM

The repercussions

For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone. Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy.

For enterprises, having rooted devices on the network is a concern, especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app. In this rooted state, an everyday victim won’t have the proper interface to control what apps on the phone request root access. The problem here is that these apps may gain access to data they shouldn’t have access to, given their escalated privileges.

Developers, of course, should be concerned about brand reputation. Legitimate application developers are often unjustly blamed for the malicious actions of malware that repackaged their applications. In reality, both the user and the app developer here are victims of malware.

We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities.

While historically, adware hoped to convince the user to install new applications by showing banners and annoying pop ups, now it can install these third party apps without user consent. In this way it can heavily capitalize on the Cost Per Install paid out by web marketing companies. Unfortunately, should the revenue model change on clicks-per-install and ads, this may lead to malware authors using this privilege escalation for new monetization strategies.

We believe more families of adware trojanizing popular apps will emerge in the near future and look to dig its heels into the reserved file system to avoid being removed.