Trojanized Adware Floods Third-Party Android App Stores

New security research from Lookout suggests that several strains of trojanized adware are targeting third-party Android app stores. The safe bet is to use Google Play.

Larry Loeb, Blogger, Informationweek

November 7, 2015

3 Min Read
<p align="left">(Image: JasminSeidel/iStockphoto)</p>

iOS vs. Android: What’s Best For Enterprise Security?

iOS vs. Android: What's Best For Enterprise Security?

iOS vs. Android: What's Best For Enterprise Security? (Click image for larger view and slideshow.)

Lookout, a San Francisco-based security firm, released new security research this week that found adware targeting Android that is both dangerous in its approach and widespread.

Michael Bentley, Lookout's head of research and response, wrote in a Nov. 4 blog: "Adware, which has traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated. This is a new trend for adware and an alarming one at that."

This trojanized adware was evidently downloaded from third-party app stores, rather than Google Play, the official Google app store for Android. This means there was a different vector of infection than the XGhostCode malware which snuck by Apple's App Store.

Bentley also noted in his blog:

Lookout has detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others. […] Indeed, we believe many of these apps are actually fully-functional, providing their usual services, in addition to the malicious code that roots the device.

Rooting the device in this case means that there is no way to simply uninstall the malware. It is disguised as a system app.

The Lookout research suggests that the only way a user can regain a normal device is by seeking out professional help or purchasing a new smartphone -- an expensive proposition. A factory reset won't do it. Whoever sold the phone may be able to convince the manufacturer to do an operating system reflash, which may solve the problem.

This is a new kind of adware, one that works in the background instead of being noisy, obnoxious, and clearly right in your face. Through the root access it gains, this adware allows other applications to do whatever it wants them to do inside Android. For example, the Adware can install other apps on its own.

[Read Android, Chrome OS Merger: Why It Makes Sense.]

Lookout has identified three distinct, but interconnected strains of this kind of trojanized adware: Shuanet, Kemoge (ShiftyBug), and Shedun (GhostPush). These three strains have been found in the several different countries, with the greatest number of detections found in the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.

Lookout examined all three strains and found 71% to 82% code similarity. They also used some of the same exploits to do rooting, including Memexploit, Framaroot, and ExynosAbuse. However, the researchers don't think that they have been created by the same author or group, but said they can assume they may be associated in some capacity.

It seems that, given the prevalence of this malware, only apps downloaded directly from the Google Play store can be trusted. Following this security measure has long been advocated by many, but often ignored. In light of this new research, those who use an Android device must suspect that all third-party hosted apps may be compromised.

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights