Trojanized Android apps flood third-party stores, compromise phones

04.11.2015
Attackers are creating rogue versions of popular Android applications that compromise the security of devices and are extremely hard to remove.

Researchers from mobile security firm Lookout have found more than 20,000 samples of such trojanized apps. They're typically fully functional copies of top Android applications like Candy Crush, Facebook, Google Now, NYTimes, Okta, SnapChat, Twitter or WhatsApp, but with malicious code added to them.

The goal of these rogue apps is to aggressively display advertisements on devices. A scary development though is that, unlike traditional adware, they root the devices where they get installed in order to prevent users from removing them.

In the Android world, rooting a device refers to the process of obtaining administrative privileges -- the root account. An application with root access can break out of its restricted sandbox and take control over the entire device, its applications and data.

The good news is that these trojanized applications are mostly distributed through third-party app stores, so they pose no direct threat to users who only download apps from Google Play.

However, there are legitimate reasons for users to use third-party app stores, which often have apps that are not allowed in Google Play because they can't meet the store's various terms. Online gambling and porn apps are two examples.

Lookout recorded the highest number of detections for trojanized applications in countries like the U.S., Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.

The researchers identified three separate families of adware apps that automatically root devices, dubbed Shedun, Shuanet, and ShiftyBug, which they believe could be related.

The attackers behind these threats likely uses automation to repackage the most popular legitimate apps from Google Play and upload them to less-policed, third-party stores. That would explain the large sample count.

"We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities," the researchers said in a blog post.

Lucian Constantin