Researchers have uncovered a new type of Android adware that’s virtually impossible to uninstall, exposes phones to potentially dangerous root exploits, and masquerades as one of thousands of different apps from providers such as Twitter, Facebook, and even Okta, a two-factor authentication service.
The researchers have found more than 20,000 samples of trojanized apps that repackage the code or other features found in official apps available in Google Play. From the end user’s perspective, the modified apps look just like the legitimate apps, and in many cases they provide the same functionality and experience. Behind the scenes, however, the apps use powerful exploits that gain root access to the Android operating system. The exploits—found in three app families known as Shedun, Shuanet, and ShiftyBug—allow the trojanized apps to install themselves as system applications, a highly privileged status that’s usually reserved only for operating system-level processes.
“For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone,” researchers from mobile security firm Lookout wrote in a blog post published Wednesday. “Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy.”
The Lookout researchers said the apps appear to do little more than display ads, but given their system-level status and root privileges, they have the ability to subvert key security mechanisms built into Android. Under a model known as sandboxing, for instance, Android apps aren’t permitted to access passwords or most other data available to other apps. System applications with root, by contrast, have super-user permissions that allow them to break out of such sandboxes. From there, root-level apps can read or modify data and resources that would be off limits to normal apps.