Another coordinated malware attack on Android devices has been detected. This particular family of malware has evolved through at least three modifications, each apparently to evade the defenses and tools that have been created to prevent their infection of Android devices, and make their removal very difficult, if not impossible. These three related malware threats are known as Shuanet, Shiftybug (also called “Kemoge”), and Shedun (also known as “GhostPush”), and are known as a type of malware “Adware”, which is designed to generate revenue for the malware authors by generating paid advertisements on Android devices. While adware is generally considered more of an irritant than a threat, Android devices thus infected can later become vulnerable to more nefarious types of threats.
Android powered devices have become a target of malware authors because of its massive user base, with nearly two billion Android powered devices in use, according to Wikipedia. While Google explicitly designed Android as a secure operating system, with its apps running in a virtual “sandbox” where an app can theoretically not infect the operating system, the miscreants who create and distribute malware have uncovered a “chink” in the Android armor that has enabled them to “root”, or gain “privileged control” over the operating system. This gives the malware access to the core operating system, allowing them to alter or replace system applications, modify system settings, “sideload” questionable apps, and run specialized apps (the malware apps) that would otherwise require the highest administrator level permissions; these permissions are typically denied to the typical Android user in order to protect the system and device. This malware tricks the system into believing that it has the requisite top level administrative authority, and places itself in the otherwise well protected heart of the operating system, making it nearly impossible to remove. While Google has released patches to the Android operating system that could close this vulnerability, relatively few users have been able to install these patches on their devices because the patches have to be “pushed” to the devices by third parties, such as the cell phone providers or device manufacturers, which only a few have done.
These three particular malware have been infecting thousands of Android powered smart phones, tablets, and other devices every day, according to Lookout, a leading Android related security company. According to Martin Brinkmann, in his column “Lookout: New, sneaky Android adware tries to root phones” published by ghacks.net on November 6, 2015, “Lookout stated that it discovered the adware, dubbed Shuanet, in more than 20,000 popular re-packaged applications including Facebook, Candy Crush, New York Times, Snapchat, Twitter or Whatsapp.” These 20,000 “re-packaged apps” were generally downloaded by the users from third-party sources, and not directly from the Google Play Store, even though it has been widely rumored that Google did detect and immediately remove a handful of purloined apps from the Play Store. While by default most Android devices will only download apps from the Google Play Store, it is a very simple process for users to go to their device settings and allow app downloads from third party sources. According to Brinkmann, “These apps function normal for the most part, and the only indicator that something is not right is the occasional ad popup they display on the device. This is one of the few indicators users get on their device that something is wrong. Good news, and that is just cold comfort, is that the malicious code is only designed to display adware on the user’s device.” The problem is that these same techniques could be used to install more dangerous malware on the unpatched devices that could theoretically be used to steal user data and information, or worse.
Several of the publishers of Android security software now list Shuanet, Shiftybug, and Shedun as malware that they can detect and prevent from being installed on an otherwise “clean” device, but at present, there is no really effective way to totally remove these infections already present without totally wiping out the operating system and all of the data on the device, and installing a fresh copy of Android on the device. While a gross inconvenience and somewhat time consuming to do, this procedure may only result in a device that may still be vulnerable to future infection, unless an updated and security patched version of Android is installed. Likewise, the user of this recently renewed software must resist the temptation to download apps from “less than reputable” third party sources, although some third party app vendors, such as Amazon, routinely scan their available apps for malware before making them available for download. If users have backed up their apps by saving copies of their associated APK files (install files) before wiping the device, these users could immediately reinfect their devices by reinstalling the same APK files, some of which may had been previously infected; rather than risking another infection, it may be better to download fresh copies of all apps from the Google Play Store, Amazon, or another totally reputable source, and not getting apps and APK files from questionable sources.
Several of the major Android security companies are reportedly developing ways to mitigate and control the ads appearing as a result of these malware “Adware” infections. One particular product which claims to control these illicit ads is “Ad Clean & Antivirus Security”, published by Hong Kong based StopBadapp (stopbadapp.com), and available from the Google Play Store. According to the StopBadapp website, “Our work protect mobile life of people and organizations from becoming victims of adware, spyware, malware, greyware, and other bad apps.” Among the illicit ads supposedly minimized with this product are “Push ads”, “Shortcuts ads”, “Float ads”, “Popup ads on home screen”, “Disturb Interstitial ads”, and “Pop up browser and redirect download link to Play”. While the “Ad Clean & Antivirus Security” app is itself free, there are optional in-app purchases ranging from $2.99 to $29.99.
While it is a shame that some people would illicitly make money by bombarding us with unwanted and intrusive ads on our Android devices, it is especially aggravating that the malware that is bring us these irritants cannot be easily removed from our devices. It is especially onerous that the same technology that is bringing us this malware can also potentially be used to bring even greater threats to our privacy and personal security. According to a November 6 article on Threatpost, “Shuanet Adware Rooting Android Devices Via Trojanized Apps”, by Michael Mimoso, quoting a report from Lookout Security, “We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities.” Google, device manufacturers, cell phone providers, and the security software publishers will inevitably become more involved in the security of our connected devices in order to protect their markets.
While we wait for security technology to catch up “cat and mouse” style with the intellectual bad guys who create this rubbish, there are things that we as Android users can do to enhance our protection to a significant degree. As with other forms of computing, we really do need a comprehensive security app in order to protect our Android devices; several excellent free security apps are available, and these security apps are evaluated and rank ordered on Gizmo’s TechSupportAlert.com at techsupportalert.com/content/best-free-antivirus-app-android.htm. Many of the better known commercial publishers of desktop security software also publish either free or paid security apps for Android, and may be worthy of consideration. We also should be very wary about downloading apps, and avoid questionable sources, reserving our app downloads from the Google Play Store or know vendors such as Amazon.
While Android by far has the greatest installed base of smart device users, it is inevitable that the technology utilized by these cyber crooks will be ported over to other operating systems, specifically Apple’s iOS. Users of these other smart device operating systems should not be smug and belittle Android users, as you might very well be the next target of these bad guys.
WEBSITES:
- https://img.talkandroid.com/uploads/2015/11/Lookout_map_torjan_virus_android_security_100615.png
- http://www.ghacks.net/2015/11/06/lookout-new-sneaky-android-adware-tries-to-root-phones/
- https://thestack.com/security/2015/11/04/trojanised-adware-including-newcomer-shuanet-infects-20000-recoded-android-apps/
- http://virusradar.com/en/Android_TrojanDropper.Shedun.N/description
- http://securitynewswire.com/securityvirus2012/article.php?title=Android_Shedun.C.Gen
- https://blog.avira.com/shedun/
- http://www.virusradar.com/en/Android_TrojanDropper.Shedun.O/description
- http://betanews.com/2015/11/05/shuanet-shiftybug-and-shedun-malware-could-auto-root-your-android/
- http://www.extremetech.com/mobile/217544-new-android-adware-tries-to-root-your-phone-so-you-cant-remove-it
- http://www.talkandroid.com/272855-new-android-malware-virus-puts-millions-of-devices-at-risk/
- https://threatpost.com/shuanet-adware-rooting-android-devices-via-trojanized-apps/115265/
- http://www.stopbadapp.com
- https://play.google.com/store/apps/details?id=com.secore.privacyshield
- http://www.techsupportalert.com/content/best-free-antivirus-app-android.htm