20,000 repackaged Android apps like Facebook, Snapchat, and Twitter hit by trojanised Android adware
A new kind of Android malware that poses with popular titles which include Facebook, Twitter, Snapchat and more, have been discovered by researchers in thousands of apps. The reason devices are getting infected is due to the users using third-party app stores outside of the Google Play Store. Legit apps, such as the official clients of Facebook, Twitter etc. are downloaded from the Google Play Store and then repackaged in such a way that they contain traces of the new adware.
As you cannot force the user to change their device completely, it becomes nearly impossible to remove the malware, which end up making matters worse.
Researchers at Lookout Security, a mobile security firm have given the term of “trojanized adware” to explain the most recent wave of adware that has been found in the Android ecosystem, an adware that uses various exploits to install itself as root on infected devices.
The problem is that the repackaged apps are highly functional, and so the malware is hard to detect. Modders and tweakers of Android will know system-level apps to be notoriously hard to remove if you don’t know what you’re doing, or don’t have root access yourself, and this is where the problem lies. They will then serve ads directed by the governing infection’s preferences rather than the app’s native one, which in turn generates money for the hacker.
The malicious actors will repackage the app with baked-in adware by taking legitimate apps from the Google Play store, and serve it to a third-party app store. In many cases, the apps are still fully functional and doesn’t alert the device owner.
Lookout said the apps does not seem to do anything more malicious than display ads, but they could damage Android’s security mechanisms given their system-level status if they wanted to. Three distinct families of trojanized adware have been found. They are called Shedun, Shuanet and ShiftyBug and appear to be created by different authors who are associated “in a few capacity”.
“Together, the three are responsible for over 20,000 repackaged apps, including Okta’s two-factor authentication app”, said the San Francisco, Calif.-based security firm.
It works like this: the user installs an app from a third-party store, and the app auto-roots gets access to the entire phone’s system — an act alone that punches a hole in Android’s security, opening up more ways for hackers to launch their attacks.
The company in a blog pos said that “Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy.”
The company said there are no signs that users who install apps from Google Play, Android’s official app store, are affected, which is good news. However, the main problem lies mainly in targeting enterprise apps like Okta, where these apps may gain access to data they are not supposed to, including sensitive corporate data.
The researchers said the highest detection rates are in the U.S., Germany, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia, adding that they expect trojanized malware to “continue gaining sophistication over time”.