A new strain of adware buried in repackaged popular Android applications is able to root devices and earn its keepers a tidy $2 per installation.
Shuanet behaves more like malware and shares some heritage with two other adware families—Kemoge and Shedun—that also root devices and give their respective payloads system-level persistence.
Between the three strains of adware, researchers at mobile security company Lookout said that 20,000 samples have spread via Trojanzied applications available on third-party Android app stores.
“Adware, which has traditionally been used to aggressively push ads, is now becoming Trojanized and sophisticated,” researchers at Lookout wrote in a report published today. “This is a new trend for adware and an alarming one at that.”
Lookout speculates that there are connections between the three adware families beyond their similar techniques. For example, some of the variants share significant portions of source code, and also share exploits. Victims have been found in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.
“In order to root the device, each Trojanized adware app uses publicly available exploits that perform the rooting function,” Lookout researchers wrote. “[Kemoge], for example, comes packed with at least eight of them in an effort to enable itself to root as many devices as possible.”
The attackers behind Shuanet, Shedun and Kemoge are repackaging legitimate applications, including Facebook, Twitter, WhatsApp and other popular apps, injecting the malicious code before republishing the apps into third-party app stores. Most of the repackaged apps, Lookout researchers said, provide the services they promise in addition to rooting the device in order to aggressively push ads and persist.
“To add insult to injury, victims will likely not be able to uninstall the malware, leaving them with the options of either seeking out professional help to remove it, or simply purchasing a new device,” Lookout researchers wrote.
In addition to popular consumer apps, Lookout researchers found a version of the Okta security app, which provides two-factor authentication, repackaged with the adware. The attackers, Lookout researchers said, missed an opportunity to steal credentials from the authentication app.
“Looking at the distribution portion of the command and control server, it appears that these families programmatically repackage thousands of popular apps from first tier app stores like Google Play and its localized equivalents,” Lookout researchers wrote. “Curiously, antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns.”
With concerns about jailbreaking and rooting devices at an all-time high, businesses should pay attention to this trend, in particular if enterprise apps are among those compromised.
“In this rooted state, an everyday victim won’t have the proper interface to control what apps on the phone request root access. The problem here is that these apps may gain access to data they shouldn’t have access to, given their escalated privileges,” Lookout researchers wrote.
They also caution that not only does this model set the attackers up to profit from the current cost-per-installation model, but should the model change, rooting of devices could lead to privilege escalation and other attacks.
“We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities,” Lookout researchers wrote.