Categories: Security

Non-Removable Android Malware Hijacks Popular Apps

Security researchers have found more than 20,000 popular Android applications on third-party app stores that have been repackaged with malware that installs non-removable advertising tools.

The infected apps, which install their adware in such a way that users may be obliged to replace the affected device, represent a new trend in mobile malware, according to IT security firm Lookout.

20,000 infected samples

Researchers said they found infected versions of more than 20,000 popular Android apps, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp.

The apps, which appear to function normally, were infected with three related families of adware that Lookout calls Shuanet, ShiftyBug and Shedun, each of which uses known security vulnerabilities in Android to gain top-level root privileges to the device.

The malware then installs aggressive ad-display tools as system applications, meaning they remain in place even with a factory reset.

“Victims will likely not be able to uninstall the malware, leaving them with the options of either seeking out professional help to remove it, or simply purchasing a new device,” Lookout said in an advisory.

Because the adware is installed silently, users might not be aware that it arrived via an infected app.

Silent adware

“Unlike older types of adware that were obvious and obnoxious, prompting users to uninstall them, this new type of adware is silent, working in the background. These malicious apps root the device unbeknownst to the user.”

The malware seems to automatically target apps that are popular on Google’s official Play Store, repackaging them with adware and republishing them on third-party app outlets, according to Lookout.

“Antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns,” Lookout explained, adding it detected the highest number of devices infected by the three malware families in the US, followed by Germany, Iran, Russia and India.

Lookout said that while the malware is focused on delivering advertisements, it nonetheless poses a security concern for company networks.

“For enterprises, having rooted devices on the network is a concern, especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app,” Lookout said. “The problem here is that these apps may gain access to data they shouldn’t have access to, given their escalated privileges.”

Users who download apps exclusively from Google’s Play Store are not affected by the malware.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

4 hours ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

6 hours ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

7 hours ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

1 day ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

1 day ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

1 day ago