Android Users Warned of Trojanized Auto-Root Adware

Security researchers are warning of a new epidemic of 20,000 repackaged apps injected with trojanized Android adware designed to root users' smartphones.

Lookout Security claimed that some of the most popular apps on Google Play including Facebook, Okta, Twitter and WhatsApp have been repackaged, injected with one of three adware families and distributed via third party app stores.

These three families—Shuanet, Shedun and ShiftyBug—are said to share between 71% and 82% of the same code, and use publicly available exploits to root the victim’s device.

ShiftyBug comes with at least eight exploits, Lookout claimed.

After rooting the device they install as a system application, making the malware almost impossible for a regular user to remove.

Rooting the device in this way could leave it exposed to other malicious applications as it effectively enables apps to bypass Android’s sandboxing capabilities, the vendor said.

The trojanized apps can be tricky to spot given that many are merely repackaged legitimate applications, which retain a full set of functionality alongside the malicious code.

The highest detection rates for the adware are the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia, Lookout claimed.

Apart from the risk to enterprise users from having their phone covertly rooted, there’s also a reputation issue at stake for developers of some of these big name titles, the firm added.

The advice from Michael Bentley, senior manager of research and response at Lookout, was simple.

“We always take great care to inform organisations we believe to be affected by any malware, before we go public. In this situation, these apps are not in Google Play, but instead they're copied and distributed via popular third party app stores,” he told Infosecurity by email.

“Stay clear of third party app stores if possible, and if you do use them, check who the app is authored and listed by. You can also use security apps to monitor for suspicious behavior.”

There is a fear that malware writers may progress from trojanized adware to more malicious code using the same infection techniques.

What’s Hot on Infosecurity Magazine?