Trojanized adware: already infected more than 20,000 Android Apps

Researchers at Lookout firm have come across a new malicious adware family distributed via trojanized versions of popular Android applications.

Researchers at mobile security firm Lookout have come across a new malicious adware family distributed via trojanized versions of popular Android applications.

Security experts at Lookout have discovered a new strain of adware dubbed Shuanet, which is distributed via trojanized versions of popular Android apps, including the Okta’s two-factor authentication application, Candy Crush and Facebook.

Shuanet is able to gain root access to the infected device phone without the user’s knowledge, the threats install themselves as system applications and are very hard to remove from the devices.

The researchers at Lookout have discovered more than 20,000 popular Android applications that were trojanized with the adware Shuanet, Kemoge and Shuanet and distributed through third-party repositories. The trojanized versions of the mobile apps are fully functional, for this reason, they don’t raise suspicion. It is important to note that threat actors behind the campaign avoided compromising antivirus apps, a circumstance that suggests a high level of planning when creating these malware campaigns.

“Lookout has detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others.” Lookout’s Michael Bentley wrote in a blog post. “Malicious actors behind these families repackage and inject malicious code into thousands of popular applications found in Google Play, and then later publish them to third-party app stores.”

The expert observed the majority of the Shuanet adware infections in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.

Lookout researchers believe that threat actors behind the adware campaigns Kemoge, Shedun and Shuanet are different groups, anyway the adware families appear to be linked. In some cases, the variants of malware analyzed share between 71 and 82 percent of their code, a circumstance that suggest the authors used the same pieces of code to build their versions of the auto-rooting adware.

 

Kemoge and Shuanet adware share at least three exploits to root devices.

“While historically adware hoped to convince the user to install new applications by showing banners and annoying pop ups, now it can install these third party apps without user consent. In this way it can heavily capitalize on the Cost Per Install paid out by web marketing companies,” Lookout’s Michael Bentley said in a blog post. “Unfortunately, should the revenue model change on clicks-per-install and ads, this may lead to malware authors using this privilege escalation for new monetization strategies.”

According to the experts, it is easy to predict that this type of trojanized adware will become even more sophisticated over the time.

“We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities.”

 Pierluigi Paganini

(Security Affairs –  CryptoWall 4.0, ransomware)

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

6 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

20 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.