Categories: Security

Non-Removable Android Malware Hijacks Popular Apps

Security researchers have found more than 20,000 popular Android applications on third-party app stores that have been repackaged with malware that installs non-removable advertising tools.

The infected apps, which install their adware in such a way that users may be obliged to replace the affected device, represent a new trend in mobile malware, according to IT security firm Lookout.

20,000 infected samples

Researchers said they found infected versions of more than 20,000 popular Android apps, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp.

The apps, which appear to function normally, were infected with three related families of adware that Lookout calls Shuanet, ShiftyBug and Shedun, each of which uses known security vulnerabilities in Android to gain top-level root privileges to the device.

The malware then installs aggressive ad-display tools as system applications, meaning they remain in place even with a factory reset.

“Victims will likely not be able to uninstall the malware, leaving them with the options of either seeking out professional help to remove it, or simply purchasing a new device,” Lookout said in an advisory.

Because the adware is installed silently, users might not be aware that it arrived via an infected app.

Silent adware

“Unlike older types of adware that were obvious and obnoxious, prompting users to uninstall them, this new type of adware is silent, working in the background. These malicious apps root the device unbeknownst to the user.”

The malware seems to automatically target apps that are popular on Google’s official Play Store, repackaging them with adware and republishing them on third-party app outlets, according to Lookout.

“Antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns,” Lookout explained, adding it detected the highest number of devices infected by the three malware families in the US, followed by Germany, Iran, Russia and India.

Lookout said that while the malware is focused on delivering advertisements, it nonetheless poses a security concern for company networks.

“For enterprises, having rooted devices on the network is a concern, especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app,” Lookout said. “The problem here is that these apps may gain access to data they shouldn’t have access to, given their escalated privileges.”

Users who download apps exclusively from Google’s Play Store are not affected by the malware.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Meta Plans Subsea Cable For Its Own Exclusive Use – Report

World spanning subsea cable measuring 40,000km (or 24,854 mile) long, reportedly being planned by Meta…

2 days ago

Canada Sues Google For Alleged Anti-Competitive Conduct In Advertising

More legal trouble. Canada's Competition Bureau sues Google for alleged anti-competitive conduct in online advertising

2 days ago

German Government Plots €2 Billion For Chip Subsidies – Report

Is it enough? After Intel disappointment, Germany to offer approximately 2 billion euros in subsidies…

3 days ago

Google Asks Appeal Court To Throw Out Epic App Store Verdict

After Epic Games 2023 courtroom victory, Google appeal argues “dramatic redesign” of Play store will…

3 days ago

Intel Says $7.86bn Grant From US Will Restrict Foundry Spin-off

Chip giant's plan for Intel Foundry to be spun off as independent subsidiary will be…

3 days ago