New Android adware tries to root your phone so you can’t remove it
on
Get link
Facebook
X
Pinterest
Email
Other Apps
By Ryan Whitwam
A new piece of Android
malware has been revealed by security firm Lookout, and it’s a clever
one. The malware in question is a type of trojan adware called Shuanet,
which is masquerading as 20,000 different popular apps. Shuanet doesn’t
just display ads, though. It also attempts to root any device it is
installed on, allowing the malware to survive factory resets.
Shuanet shares a lot
of code with several other adware trojans that Lookout has detected
recently known as Kemoge and Shedun. What’s interesting about Shuanet is
that it doesn’t seek to wreak havoc on an infected device or clog it
with other malware. This is adware first and foremost, so the goal is to
get people to use their devices and see the ads.
The malware
operators are downloading the legitimate Android APKs of popular apps,
then integrating Shuanet and reposting them in third-party app stores.
The thousands of apps repackaged by Shuanet include the likes of
Facebook, Snapchat, NYTimes, WhatsApp, and more. These apps appear to
function normally after being installed, so the user might not even
realize anything is wrong. Just a few annoying popup ads, but such is
the price we pay for living in a connected world, right?
The aspect of Shuanet that is grabbing headlines is that it roots your device, which is
sort of
true. It certainly tries to root any Android device it is installed on,
but according to Lookout, it’s not using any new secret system
vulnerabilities. It’s simply a package of older community-developed
exploits that enthusiast users install to gain root access for their own
enjoyment. If Shuanet successfully roots a phone, it moves the infected
app to the system partition, which means it will survive a factory
reset. The only way to remove it would be to use a root-enabled file
explorer to find and remove the package. That would be tough if you
didn’t know which app was the source of the infection.
This isn’t as
calamitous as it sounds at first. As we’ve mentioned in the past, there
are no universal root exploits on Android, and all of the public
exploits included in Shuanet have been patched (for example ExynosAbuse
and Framaroot). Thus, a device is only vulnerable if it’s running a
rather old version of Android. Notice how the example image provided by
Lookout is a Jelly Bean phone? A newer phone wouldn’t be rooted by
Shuanet, but the ad features could still work.
It’s still very hard
to get infected with Shuanet. You’d have to disable installation
protection, ignore the Google security warnings, then manually install
one of these apps from a shady third-party app store instead of simply
getting it from Google Play. I’m not sure who would do that, but Lookout
says it has seen it happening in the wild. It does not provide a figure
for the number of infections, though.
Comments
Post a Comment