Three new malware strains infect 20k apps, impossible to wipe, only affect Android

Posted:
in iPhone edited November 2015
A new adware scourge injecting itself into popular apps such as Facebook and Twitter is also "virtually impossible to uninstall," requiring infected users to replace their phones. Because it only affects users of Google's open-store Android app model, the device replacement requirement may accelerate the trend of users switching to iOS.


"A new trend for adware and an alarming one at that"

Three new families of "auto-rooting adware," detailed by security researchers at Lookout, are "a worrying development in the Android ecosystem" because each can root the device and install itself as a system application, making the contamination virtually impossible to remove as the infection is designed to survive even a "factory data reset" device wipe.

The group found infections among more than 20,000 popular apps, with many contaminated apps appearing to be legitimate, working titles ranging from Candy Crush to Facebook to Snapchat, WhatsApp, The New York Times and even Google Now. The infection is designed to survive even a "factory data reset" device wipe

The three malware families (named Shedun, Shuanet and ShiftyBug) are closely related but appear to be independently authored. Each relies on "publicly available exploits that perform the rooting function" and their "authors used the same pieces of code to build their versions of the auto-rooting adware," the researchers noted, leveraging the ecosystem of powerful and easy to find tools for attacking Android devices.


Source: Lookout


"For individuals, getting infected with Shedun, Shuanet and ShiftyBug might mean a trip to the store to buy a new phone. Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy," noted researcher Michael Bentley."Getting infected with Shedun, Shuanet and ShiftyBug might mean a trip to the store to buy a new phone," - Lookout

The discovered app infections were concentrated in "United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia," a series of countries where Apple is already experiencing significant switcher growth from Android.

Tim Cook specifically noted Indonesia and India among the emerging markets where he said he was "really impressed last quarter with our progress."

Apple's iPhone has previously had limited exposure in India, where according to a recent report by the Financial Times, it has maintained just 1 to 2 percent share of smartphone by units (albeit a 10 percent share by value).

An attack on the permissive software model of Android

The contaminated apps Lookout found were harvested from Google Play, infected with a payload and then republished on third party app sites enabled by Google's open app model allowing Android users to find and download apps from multiple stores.

Apple has repeatedly maintained that Android's permissive software installation "features" were a security risk, but Android's architects, partners and enthusiast users denied this while portraying Apple's App Store model--providing a single, vetted source for iOS apps--as being an unnecessarily restrictive "Walled Garden."

In addition to being a problem for individuals, Lookout also noted that the auto-rooting malware is a special concern for business users, "especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app.

"In this rooted state, an everyday victim won't have the proper interface to control what apps on the phone request root access. The problem here is that these apps may gain access to data they shouldn't have access to, given their escalated privileges."

Google's Android software model not only facilitates the increasingly large business of copying legitimate apps and distributing them with a malware payload, but also makes Android a ripe platform for piracy and counterfeiters, a reality that has hurt its ability to foster legitimate commercial app development.

The current problems posed by Shedun, Shuanet and ShiftyBug are difficult for Google to address because it has no effective control over third party app stores, apart from advising Android users not to use them--after spending years claiming that third party stores would be a feature, not a peril.

It's also a defamation problem for legitimate app developers, as many users won't understand why legitimate-appearing software, branded as coming from Facebook, known game developers or even Google, is damaging their phone to the point of requiring a replacement.

"We believe more families of adware trojanizing popular apps will emerge in the near future and look to dig its heels into the reserved file system to avoid being removed," Lookout noted.

Apple has continued to block efforts to root iPhones, addressing jailbreak exploits in new releases of iOS that make it increasingly difficult--and increasingly unpopular--to seek apps from any source outside of the official App Store. That's enabled the company to address problems quickly by banning apps that overstep Apple's curation policies, including malware and data collection, as it recently did to contain XcodeGhost.
«13456789

Comments

  • Reply 1 of 166
    gatorguygatorguy Posts: 19,321member
    LOL! Talk about timing! Several posts concerning security today, many of them mine, and this makes a great topper.

    The advice to stick to the official Google Play Store and not to disable default security settings just got another big boost.

    The current problems posed by Shedun, Shuanet and ShiftyBug are difficult for Google to address because it has no effective control over third party app stores, apart from advising Android users not to use them--after spending years claiming that third party stores would be a feature, not a peril.

    I don't believe that's at all accurate. On the contrary Google has long recommended that users not disable 3rd party app blocking. And of course why wouldn't they if not any other reason than they make a profit from Google Play and zilch from other Android app stores. I think DED has confused some fan comments for Google's position on it.
  • Reply 2 of 166

    Ok, just so I'm straight -- its only a potential problem for android apps that aren't sourced from GooglePlay? I don't use an android myself, but I want to know so I can correctly inform friends who do. i.e. If I tell them to only download from GooglePlay, that solves the potential problem?

  • Reply 3 of 166
    slurpyslurpy Posts: 5,061member
    Quote:

    Originally Posted by Gatorguy View Post



    LOL! Talk about timing! Several posts concerning security today, many of them mine, and this makes a great topper.



    The advice to stick to the official Google Play Store and not to disable default security settings just got another big boost.

     

    Wait, but for years all we've been hearing from Android evangelizers is that the massive advantage of Android is 3rd party appstores, being able to customize the OS, remove all security barriers, etc, and that's the primary reason for going that way. iOS is so horrible because it's a "walled garden", and Android is so awesome because of stuff like this. Now, the advise is to pretend that capability doesn't exist?

  • Reply 4 of 166
    irnchrizirnchriz Posts: 1,566member
    Same rules as OS X, don't download and install anything from dodgy websites.
  • Reply 5 of 166
    Quote:

    Originally Posted by irnchriz View Post



    Same rules as OS X, don't download and install anything from dodgy websites.



    Many of these third party sites are not considered "dodgy" but rather the localized versions of Google Play, where its common to get their apps in those countries. 

     

    Google explicitly sold the "openness" of Android's app distribution as a feature. A variety of alt android app markets have attempted to erect a walled garden like Amazon. 

  • Reply 6 of 166
    Quote:

    Originally Posted by Gatorguy View Post



    LOL! Talk about timing! Several posts concerning security today, many of them mine, and this makes a great topper.



    The advice to stick to the official Google Play Store and not to disable default security settings just got another big boost.

    I don't believe that's at all accurate. On the contrary Google has long recommended that users not disable 3rd party app blocking. And of course why wouldn't they if not any other reason than they make a profit from Google Play and zilch from other Android app stores. I think DED has confused some fan comments for Google's position on it.



    You are incorrect. Do some reading about how Google positioned Android across its first 7 years if you have forgotten it all.

     

    Android's largest market is China, where there isn't any access to Google Play at all. 

  • Reply 7 of 166
    gatorguygatorguy Posts: 19,321member

    Many of these third party sites are not considered "dodgy" but rather the localized versions of Google Play.
    Such as?

    EDIT: I see you added to your post after the fact. I assume you aren't referring to Google Android then when talking about it's largest market.
  • Reply 8 of 166
    gatorguygatorguy Posts: 19,321member

    You are incorrect. Do some reading about how Google positioned Android across its first 7 years if you have forgotten it all.

    Android's largest market is China, where there isn't any access to Google Play at all. 
    Oh I do read. A lot. Do you have a single example over the past 5 years of Google suggesting 3rd party app stores are a plus, or even promote disabling the default security settings as a great feature?

    As for China are you referring to Google Android or "other".
  • Reply 9 of 166
    wood1208wood1208 Posts: 1,616member
    Time and time android vulnerabilities to security holes, malware attack has been proven by university research teams to corporations IT department to individual smartphone users. Go with IOS.
  • Reply 10 of 166
    lwiolwio Posts: 75member
    Put's feet up, sips cocktail and enjoys the walled Garden.
  • Reply 11 of 166
    Quote:

    Originally Posted by Gatorguy View Post





    Oh I do read. A lot. Do you have a single example over the past 5 years of Google suggesting 3rd party app stores are a plus, or even promote disabling the default security settings as a great feature?



    As for China are you referring to Google Android or "other".



    I happen to know you are really good at googling stuff on your own. 

     

    It's not even controversial that Google promoted open access to any app stores as a primary feature of Android. That only was backpedaled after it blew up into a security nightmare. You were making excuses for it all the way, don't you remember? 

     

    Also, any form of Android, whether ASOP or Nexus branded or whatever, has no access to Google Play in China. Everything Google is blocked in China. 

  • Reply 12 of 166
    gatorguygatorguy Posts: 19,321member
    slurpy wrote: »
    Wait, but for years all we've been hearing from Android evangelizers is that the massive advantage of Android is 3rd party appstores, being able to customize the OS, remove all security barriers, etc, and that's the primary reason for going that way. iOS is so horrible because it's a "walled garden", and Android is so awesome because of stuff like this. Now, the advise is to pretend that capability doesn't exist?
    You're right. Maybe a "walled garden" would be going too far but a chain-link fence couldn't hurt.
  • Reply 13 of 166

    What's happening with the XcodeGhost issue?  The webpage that Apple published http://www.apple.com/cn/xcodeghost/#english says to check back as it will be updated but its been about 5 weeks with no update.

  • Reply 14 of 166
    gatorguygatorguy Posts: 19,321member

    I happen to know you are really good at googling stuff on your own.
    So you couldn't find one either.

    I'm not suggesting Google did or does everything the way it should be. Heck, they're constantly changing things, and the more they do the closer they get to handling appstores and security more like Apple has for some time. They're even gradually coming around to understand Apple's control over chipset designs used with their OS is a big advantage and looking into doing the same with Android. Apple may have gone just a tad far with "lock-in" or maybe not. From a revenue standpoint they nailed it. Opening it up a little probably wouldn't add a penny to their coffers, while too much openness in Android does create problems Apple doesn't have to worry about.

    What is plain as day is that Google's original vision for Android7 years ago hasn't worked out like they assumed. But writing they've promoted 3rd party app stores or disabling security as a great feature for years is, and this is being charitable, taking a very large literary license IMHO sir. Instead it's It's been years since they have. FWIW Google should put up bigger fences as far as I'm concerned, so on that we're probably in agreement.

    I read every article you write here and learn something from nearly every one of them. Going overboard with fluffing the facts and mixing in unrelated side issues sometimes makes it hard to separate wheat from chaff, but that's me. It's plain that many here like your style and you have enthusiastic fans. I get it. No matter, I'll continue to read every article you write.
  • Reply 15 of 166
    rp2011rp2011 Posts: 159member
    I try not to go overboard with these type of claims but my girlfriend loves her Note 5 but now I am planning on accidentally breaking it and replacing it with an iPhone 6 to make amends. Not because I'm paranoid or anything...
  • Reply 16 of 166
    lwio wrote: »
    Put's feet up, sips cocktail and enjoys the walled Garden.

    It's the best place to ride out the Android apocalypse.
  • Reply 17 of 166
    boltsfan17boltsfan17 Posts: 2,029member
    Quote:
    Originally Posted by techrider View Post

     

    What's happening with the XcodeGhost issue?  The webpage that Apple published http://www.apple.com/cn/xcodeghost/#english says to check back as it will be updated but its been about 5 weeks with no update.


    Issue was fixed a while ago. Apple removed the infected apps shortly after xcodeghost was discovered. The developers of the infected apps were idiots for downloading counterfeit copies of xcode and not downloading from Apple. 

  • Reply 18 of 166
    sflocalsflocal Posts: 4,289member
    Quote:

    Originally Posted by Suddenly Newton View Post





    It's the best place to ride out the Android apocalypse.



    "Android Apocalypse" definitely sounds right.  After all, Android defenders basically have zero brains to begin with to support such a wretched, botched OS.

  • Reply 19 of 166

    I'm afraid we might have to raise the FUD flag.  It's very easy to determine if your device has been rooted and not that difficult to unroot the device and reinstall the firmware.  Claiming you have to replace the device is hysterical nonsense.  

  • Reply 20 of 166
    gatorguygatorguy Posts: 19,321member
    boltsfan17 wrote: »
    Issue was fixed a while ago. Apple removed the infected apps shortly after xcodeghost was discovered. The developers of the infected apps were idiots for downloading counterfeit copies of xcode and not downloading from Apple. 
    Not fixed. So far about 300 apps removed. There's also some new variants of it out and about, no longer restricted to China, and the original researcher still communicating with Apple to mitigate issues.

    EDIT: This is the most recent security post about it.
    https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html
Sign In or Register to comment.