A new report from internet security company Lookout has found that over 20,000 Android apps, including “recoded” versions of legitimate apps such as Facebook, are infected with Trojanised adware that roots Android devices, leaving users with little recourse to either get the devices looked at by security specialists or to abandon it completely. Case in point, a new type of adware has been discovered in a wild, and it’s so nasty that it forces a user to buy a brand new phone if they’re willing to get rid of it for good.
Advertisement
“We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities”, the researchers said in a blog post.
It also notes that antivirus apps seem to have been deliberately and systematically excluded from this mass-repackaging program, for obvious reasons.
Once these apps gain root access, they install themselves as system applications – making them hard to remove.
There are at least three similar adware found – Shuanet, Kemoge and Shudun.
Lookout researchers claim they have identified over 20,000 official Android apps being offered for download on third-party Android stores, repackaged with either Shuanet, GhostPush or Kemoge.
By taking legitimate apps from the Google Play store, malicious actors will repackage the app with baked-in adware, and serve it to a third-party app store. Periodically from there, the app will serve ads, which generates money for the attacker.
The big headache, particularly in targeting enterprise apps like Okta, is that these apps may gain access to data they are not supposed to, including sensitive corporate data.
Lookout said the apps don’t appear to do anything more malicious than display ads, but given their system-level status they could undermine Android’s security mechanisms if they wanted to. However, looking at the distribution portion of the command and control server, it appears that these families programmatically repackage thousands of popular apps from first-tier app stores like Google Play and its localized equivalents’.
Advertisement
Most infected users reside in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia.
