Non-Removable Android Malware Hijacks Popular Apps

Security researchers have found more than 20,000 popular Android applications on third-party app stores that have been repackaged with malware that installs non-removable advertising tools.

The infected apps, which install their adware in such a way that users may be obliged to replace the affected device, represent a new trend in mobile malware, according to IT security firm Lookout.

20,000 infected samples

Researchers said they found infected versions of more than 20,000 popular Android apps, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp.

The apps, which appear to function normally, were infected with three related families of adware that Lookout calls Shuanet, ShiftyBug and Shedun, each of which uses known security vulnerabilities in Android to gain top-level root privileges to the device.

The malware then installs aggressive ad-display tools as system applications, meaning they remain in place even with a factory reset.

“Victims will likely not be able to uninstall the malware, leaving them with the options of either seeking out professional help to remove it, or simply purchasing a new device,” Lookout said in an advisory.

Because the adware is installed silently, users might not be aware that it arrived via an infected app.

Silent adware

“Unlike older types of adware that were obvious and obnoxious, prompting users to uninstall them, this new type of adware is silent, working in the background. These malicious apps root the device unbeknownst to the user.”

The malware seems to automatically target apps that are popular on Google’s official Play Store, repackaging them with adware and republishing them on third-party app outlets, according to Lookout.

“Antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns,” Lookout explained, adding it detected the highest number of devices infected by the three malware families in the US, followed by Germany, Iran, Russia and India.

Lookout said that while the malware is focused on delivering advertisements, it nonetheless poses a security concern for company networks.

“For enterprises, having rooted devices on the network is a concern, especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app,” Lookout said. “The problem here is that these apps may gain access to data they shouldn’t have access to, given their escalated privileges.”

Users who download apps exclusively from Google’s Play Store are not affected by the malware.

Are you a security pro? Try our quiz!