Rooting a phone is something that many people decide to do to allow them to do things and use apps that would not otherwise be possible. If you make the choice, you are in control. But security researchers at Lookout have discovered a new form of malware disguised as apps from the likes of Facebook and Twitter.
While some of the apps are partially functional, the malware has a nasty payload: it could be quietly rooting your phone in the background. Lookout has identified three families of malware — Shuanet, ShiftyBug, and Shedun — that can be found in more than 20,000 apps in Google Play. Once installed, the malware is almost impossible to remove.
Lookout describes the new breed of malware as ‘trojanized adware’, and says that the alarming new trend is sophisticated. In a bid to increase their spread, the malware has been hidden in fake versions of apps such as Candy Crush, Snapchat, and WhatsApp. For many users, the appearance of unwanted ads will be the first they know of an attack, but the fact that devices can be automatically rooted presents serious problems for individuals as well as businesses.
Revealing their findings in a blog post, Lookout says:
At first, we wondered why someone would infect an enterprise two-factor authentication app in order to serve ads, neglecting the opportunity to harvest and exfiltrate user credentials. However, looking at the distribution portion of the command and control server, it appears that these families programmatically repackage thousands of popular apps from first-tier app stores like Google Play and its localized equivalents. Curiously, antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns.
It is not thought that all of the apps were created by the same people, but Lookout believes that two or more groups may have been working together. Infection rates are greatest in United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia, and the amount of code shared between the three families shows that there is some form of relationship between them.
The malware makes use of techniques used by ‘legitimate’ rooting tools, taking advantage of Memexploit, Framaroot, and ExynosAbuse exploits. Lookout warns that for individuals, an infection could mean “forcing victims to replace their device in order to regain normalcy”, but the repercussions for enterprises are more serious. With phones having been rooted, it is impossible to know who is in control of them, placing data and privacy at risk.
The future doesn’t look too bright, either. Lookout warns:
We believe more families of adware trojanizing popular apps will emerge in the near future and look to dig its heels into the reserved file system to avoid being removed.