Android malware is becoming more sophisticated



    Since the mobile operating system Android is one of the most common, attackers are constantly developing more and more malware for this OS. In principle, this kind of software appears every day, and most programs do not deserve special mention. But there is adware, the principle of implementation and operation of which is very interesting (and for an inexperienced user - and very dangerous).

    The adware in question is distributed in a way that has been tried and tested among attackers: ordinary applications from Twitter, Facebook, or even Okta (two-factor authentication service) are repacked. These Trojan applications are not downloaded to the Google Play directory, but to third-party resources / directories, many of which are also very popular. From the point of view of the user who is trying to download one of the Trojanized applications, everything is fine, and in many cases, after installation, the program works as it should. But during the installation on the victim’s phone, a powerful Trojan application is also installed, which uses exploits to get root. Exploits found in three families of such applications (Shedun, Shuanet, and ShiftyBug) allow the malware to be installed as a system application with the corresponding status,

    “For ordinary users, getting malware like Shedun, Shuanet, or ShiftyBug may mean going to the store to get a new phone,” said Lookout, a spyware research company who specializes in malware research for Android. Indeed, it will not be possible to delete applications in the usual way - they have a system priority, so nothing will help.

    According to experts, cybercriminals repack thousands of popular applications, then place infected programs on third-party download resources. Repackaged software with the trojans mentioned above was found on the websites of the USA, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico City, Indonesia. There is no information that infected applications have reached Google Play.

    Interestingly, each of these malicious programs uses a whole set of exploits for a number of the most popular mobile devices. For example, ShiftyBug is equipped with at least 8 different exploits.



    Now one of the varieties of the applications mentioned above has the opportunity to download adware victims to the phone, even if it refuses to install by clicking on the appropriate button. This program also belongs to the Shedun family, adware, distributed as described above. The malware tricks the victim using the Android Accessibility Service . After installing on the phone, the program gets the opportunity to display pop-up ads with links to adware. Even if the user refuses to install, Shedun, using the Accessibility Service, installs adware.



    According to information security experts, Shedun in this case does not use the vulnerability of the service. Instead, the completely legal features of Android are used. After permission to use the accessibility service, Shedun gets the opportunity to read the text that appears on the display, determine what the application asks for, view the list of permissions and press the install button on its own, and all this is done offline, without user intervention.


    PS We carry out the second stage of the campaign especially for Habr readers. Details post here .

    Also popular now: