Categories: Security

Non-Removable Android Malware Hijacks Popular Apps

Security researchers have found more than 20,000 popular Android applications on third-party app stores that have been repackaged with malware that installs non-removable advertising tools.

The infected apps, which install their adware in such a way that users may be obliged to replace the affected device, represent a new trend in mobile malware, according to IT security firm Lookout.

20,000 infected samples

Researchers said they found infected versions of more than 20,000 popular Android apps, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp.

The apps, which appear to function normally, were infected with three related families of adware that Lookout calls Shuanet, ShiftyBug and Shedun, each of which uses known security vulnerabilities in Android to gain top-level root privileges to the device.

The malware then installs aggressive ad-display tools as system applications, meaning they remain in place even with a factory reset.

“Victims will likely not be able to uninstall the malware, leaving them with the options of either seeking out professional help to remove it, or simply purchasing a new device,” Lookout said in an advisory.

Because the adware is installed silently, users might not be aware that it arrived via an infected app.

Silent adware

“Unlike older types of adware that were obvious and obnoxious, prompting users to uninstall them, this new type of adware is silent, working in the background. These malicious apps root the device unbeknownst to the user.”

The malware seems to automatically target apps that are popular on Google’s official Play Store, repackaging them with adware and republishing them on third-party app outlets, according to Lookout.

“Antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns,” Lookout explained, adding it detected the highest number of devices infected by the three malware families in the US, followed by Germany, Iran, Russia and India.

Lookout said that while the malware is focused on delivering advertisements, it nonetheless poses a security concern for company networks.

“For enterprises, having rooted devices on the network is a concern, especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app,” Lookout said. “The problem here is that these apps may gain access to data they shouldn’t have access to, given their escalated privileges.”

Users who download apps exclusively from Google’s Play Store are not affected by the malware.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Begins Probe Of Viasat Acquisition Of Inmarsat

British competition regulator the CMA, begins phase one investigation of $7.3 billion merger between Inmarsat…

17 hours ago

Cisco Admits ‘Security Incident’ After Breach Of Corporate Network

Yanluowang ransomware hackers claim credit for compromise of Cisco's corporate network in May, while Cisco…

18 hours ago

Google Seeks To Shame Apple Over RCS Refusal

Good luck convincing Tim. Google begins publicity campaign to pressure Aple into adopting the cross…

19 hours ago

Elon Musk Wants Staff Names Of Twitter’s Bot Counters

Fight with Twitter, sees Elon Musk's legal team requesting names of those employees who calculate…

21 hours ago

Former Twitter Executive Convicted Of Spying For Saudi Arabia

Spying scandal. Former Twitter executive found guilty in San Francisco courtroom of spying for Saudi…

1 day ago

Meta Raises $10 Billion In Bond Offering

First ever bond offering sees Facebook parent Meta Platforms raise $10 billion, as it seeks…

1 day ago