Categories: Security

Non-Removable Android Malware Hijacks Popular Apps

Security researchers have found more than 20,000 popular Android applications on third-party app stores that have been repackaged with malware that installs non-removable advertising tools.

The infected apps, which install their adware in such a way that users may be obliged to replace the affected device, represent a new trend in mobile malware, according to IT security firm Lookout.

20,000 infected samples

Researchers said they found infected versions of more than 20,000 popular Android apps, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp.

The apps, which appear to function normally, were infected with three related families of adware that Lookout calls Shuanet, ShiftyBug and Shedun, each of which uses known security vulnerabilities in Android to gain top-level root privileges to the device.

The malware then installs aggressive ad-display tools as system applications, meaning they remain in place even with a factory reset.

“Victims will likely not be able to uninstall the malware, leaving them with the options of either seeking out professional help to remove it, or simply purchasing a new device,” Lookout said in an advisory.

Because the adware is installed silently, users might not be aware that it arrived via an infected app.

Silent adware

“Unlike older types of adware that were obvious and obnoxious, prompting users to uninstall them, this new type of adware is silent, working in the background. These malicious apps root the device unbeknownst to the user.”

The malware seems to automatically target apps that are popular on Google’s official Play Store, repackaging them with adware and republishing them on third-party app outlets, according to Lookout.

“Antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns,” Lookout explained, adding it detected the highest number of devices infected by the three malware families in the US, followed by Germany, Iran, Russia and India.

Lookout said that while the malware is focused on delivering advertisements, it nonetheless poses a security concern for company networks.

“For enterprises, having rooted devices on the network is a concern, especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app,” Lookout said. “The problem here is that these apps may gain access to data they shouldn’t have access to, given their escalated privileges.”

Users who download apps exclusively from Google’s Play Store are not affected by the malware.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

3 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

4 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

5 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

7 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

9 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

10 hours ago