Researchers of a security firm named Lookout have uncovered a new type of Android adware that’s virtually impossible to uninstall. The malware in question is a type of Trojan adware called Shuanet, which is masquerading as 20,000 different popular apps including Facebook, Snapchat, Twitter, NYTimes, WhatsApp, including Okta’s two-factor authentication app and more. The Adware doesn’t just display ads though but attempts to root any device it is installed on, allowing the malware to survive factory resets.
The researchers have found more than 20,000 samples of trojanized apps that repackage the code or other features found in official apps available in Google Play and then are posted to third-party markets. These apps appear to function normally after being installed, so the user might not even realize anything is wrong. Just a few annoying popup ads, but such is the price we pay for living in a connected world, right?
Also Read:- Tips to make your Android phone safe and fast.
Behind the scenes, however, the apps use powerful exploits that gain root access to the Android operating system. The exploits—found in three app families known as Shedun, Shuanet, and ShiftyBug which allow the trojanized apps to install themselves as system applications, a highly privileged status that’s usually reserved only for operating system-level processes. Making matters worse, it’s almost impossible to remove, forcing a user to replace their device entirely.
The Lookout researchers said the apps appear to do little more than display ads, but given their system-level status and root privileges, they have the ability to subvert key security mechanisms built into Android. It certainly tries to root any Android device it is installed on, but according to Lookout, it’s not using any new secret system vulnerabilities. It’s simply a package of older community-developed exploits that enthusiast users install to gain root access for their own enjoyment. If Shuanet successfully roots a phone, it moves the infected app to the system partition, which means it will survive a factory reset. The only way to remove it would be to use a root-enabled file explorer to find and remove the package. That would be tough if you didn’t know which app was the source of the infection. Lookout is seeing the highest number of detections in the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.
The good news is that the company said there is no indication that users who install apps from Google Play, Android’s official app store, are affected. It’s still very hard to get infected with Shuanet. You’d have to disable installation protection, ignore the Google security warnings and then manually install one of these apps from a shady third-party app store instead of simply getting it from Google Play. So think before you download any app from any third-party app store.