New Android adware tries to root your phone so you can’t remove it

By Ryan Whitwam 
A new piece of Android malware has been revealed by security firm Lookout, and it’s a clever one. The malware in question is a type of trojan adware called Shuanet, which is masquerading as 20,000 different popular apps. Shuanet doesn’t just display ads, though. It also attempts to root any device it is installed on, allowing the malware to survive factory resets.
Shuanet shares a lot of code with several other adware trojans that Lookout has detected recently known as Kemoge and Shedun. What’s interesting about Shuanet is that it doesn’t seek to wreak havoc on an infected device or clog it with other malware. This is adware first and foremost, so the goal is to get people to use their devices and see the ads.
The malware operators are downloading the legitimate Android APKs of popular apps, then integrating Shuanet and reposting them in third-party app stores. The thousands of apps repackaged by Shuanet include the likes of Facebook, Snapchat, NYTimes, WhatsApp, and more. These apps appear to function normally after being installed, so the user might not even realize anything is wrong. Just a few annoying popup ads, but such is the price we pay for living in a connected world, right?
The aspect of Shuanet that is grabbing headlines is that it roots your device, which is
sort of
true. It certainly tries to root any Android device it is installed on, but according to Lookout, it’s not using any new secret system vulnerabilities. It’s simply a package of older community-developed exploits that enthusiast users install to gain root access for their own enjoyment. If Shuanet successfully roots a phone, it moves the infected app to the system partition, which means it will survive a factory reset. The only way to remove it would be to use a root-enabled file explorer to find and remove the package. That would be tough if you didn’t know which app was the source of the infection.
This isn’t as calamitous as it sounds at first. As we’ve mentioned in the past, there are no universal root exploits on Android, and all of the public exploits included in Shuanet have been patched (for example ExynosAbuse and Framaroot). Thus, a device is only vulnerable if it’s running a rather old version of Android. Notice how the example image provided by Lookout is a Jelly Bean phone? A newer phone wouldn’t be rooted by Shuanet, but the ad features could still work.
It’s still very hard to get infected with Shuanet. You’d have to disable installation protection, ignore the Google security warnings, then manually install one of these apps from a shady third-party app store instead of simply getting it from Google Play. I’m not sure who would do that, but Lookout says it has seen it happening in the wild. It does not provide a figure for the number of infections, though.

Comments