Newly Discovered Auto-Rooting Android Adware Is Impossible To Remove

Lookout Security, a mobile security firm, discovered the new so-called “trojanized adware,” which puts a new twist on how cybercriminals are generating money.

Lookout Security calls it “trojanized adware”, it involves applications that are repackaged with malware inside and then distributed through third-party app stores.

Lookout researchers claim they have identified over 20,000 official Android apps being offered for download on third-party Android stores, repackaged with either Shuanet, GhostPush or Kemoge. This theory from Lookout is based on the fact that the adware’s operators avoided antivirus and security apps, but when they’ve repackaged apps that handled sensitive information (Okta’s two-factor authorization app), they have not tampered with the process that handles sensitive user information.

Lookout claims that the operation in which the apps were repacakged with Shuanet seems to have taken place automatically (via a script). Periodically from there, the app will serve ads, which generates money for the attacker.

A scary development though is that, unlike traditional adware, they root the devices where they get installed in order to prevent users from removing them. Modders and tweakers of Android will know system-level apps to be notoriously hard to remove if you don’t know what you’re doing, or don’t have root access yourself, and this is where the problem lies. Lookout found three major strains, dubbed Shedun, Kemoge (which Lookout refer to as ShiftyBug) and Shaunet.

A lot of Android users swear by having root access, essentially the equivalent of superuser, or admin rights on Linux machines. It’s simple – stick to the Google Play Store for downloading apps and games, and make sure that you uncheck the “Unknown sources” box by navigating to Settings Security.

The repackaged apps are highly functional, but serve ads directed by the governing infection’s preferences rather than the app’s native ones. The attackers appear to use an automated system to crawl Google’s store, download a selection of legitimate applications and modify them to install the adware. While adware-and other potentially unwanted programs-are known hazards for Android users, these latest programs have become much more malicious, masquerading as popular apps-such as Candy Crush and Facebook.