Three new malware strains infect 20k apps, impossible to wipe, only affect Android
A new adware scourge injecting itself into popular apps such as Facebook and Twitter is also "virtually impossible to uninstall," requiring infected users to replace their phones. Because it only affects users of Google's open-store Android app model, the device replacement requirement may accelerate the trend of users switching to iOS.
The group found infections among more than 20,000 popular apps, with many contaminated apps appearing to be legitimate, working titles ranging from Candy Crush to Facebook to Snapchat, WhatsApp, The New York Times and even Google Now.
The three malware families (named Shedun, Shuanet and ShiftyBug) are closely related but appear to be independently authored. Each relies on "publicly available exploits that perform the rooting function" and their "authors used the same pieces of code to build their versions of the auto-rooting adware," the researchers noted, leveraging the ecosystem of powerful and easy to find tools for attacking Android devices.
Source: Lookout
"For individuals, getting infected with Shedun, Shuanet and ShiftyBug might mean a trip to the store to buy a new phone. Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy," noted researcher Michael Bentley.
The discovered app infections were concentrated in "United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia," a series of countries where Apple is already experiencing significant switcher growth from Android.
Tim Cook specifically noted Indonesia and India among the emerging markets where he said he was "really impressed last quarter with our progress."
Apple's iPhone has previously had limited exposure in India, where according to a recent report by the Financial Times, it has maintained just 1 to 2 percent share of smartphone by units (albeit a 10 percent share by value).
Apple has repeatedly maintained that Android's permissive software installation "features" were a security risk, but Android's architects, partners and enthusiast users denied this while portraying Apple's App Store model--providing a single, vetted source for iOS apps--as being an unnecessarily restrictive "Walled Garden."
In addition to being a problem for individuals, Lookout also noted that the auto-rooting malware is a special concern for business users, "especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app.
"In this rooted state, an everyday victim won't have the proper interface to control what apps on the phone request root access. The problem here is that these apps may gain access to data they shouldn't have access to, given their escalated privileges."
Google's Android software model not only facilitates the increasingly large business of copying legitimate apps and distributing them with a malware payload, but also makes Android a ripe platform for piracy and counterfeiters, a reality that has hurt its ability to foster legitimate commercial app development.
The current problems posed by Shedun, Shuanet and ShiftyBug are difficult for Google to address because it has no effective control over third party app stores, apart from advising Android users not to use them--after spending years claiming that third party stores would be a feature, not a peril.
It's also a defamation problem for legitimate app developers, as many users won't understand why legitimate-appearing software, branded as coming from Facebook, known game developers or even Google, is damaging their phone to the point of requiring a replacement.
"We believe more families of adware trojanizing popular apps will emerge in the near future and look to dig its heels into the reserved file system to avoid being removed," Lookout noted.
Apple has continued to block efforts to root iPhones, addressing jailbreak exploits in new releases of iOS that make it increasingly difficult--and increasingly unpopular--to seek apps from any source outside of the official App Store. That's enabled the company to address problems quickly by banning apps that overstep Apple's curation policies, including malware and data collection, as it recently did to contain XcodeGhost.
"A new trend for adware and an alarming one at that"
Three new families of "auto-rooting adware," detailed by security researchers at Lookout, are "a worrying development in the Android ecosystem" because each can root the device and install itself as a system application, making the contamination virtually impossible to remove as the infection is designed to survive even a "factory data reset" device wipe.The group found infections among more than 20,000 popular apps, with many contaminated apps appearing to be legitimate, working titles ranging from Candy Crush to Facebook to Snapchat, WhatsApp, The New York Times and even Google Now.
The infection is designed to survive even a "factory data reset" device wipe
The three malware families (named Shedun, Shuanet and ShiftyBug) are closely related but appear to be independently authored. Each relies on "publicly available exploits that perform the rooting function" and their "authors used the same pieces of code to build their versions of the auto-rooting adware," the researchers noted, leveraging the ecosystem of powerful and easy to find tools for attacking Android devices.
Source: Lookout
"For individuals, getting infected with Shedun, Shuanet and ShiftyBug might mean a trip to the store to buy a new phone. Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy," noted researcher Michael Bentley.
"Getting infected with Shedun, Shuanet and ShiftyBug might mean a trip to the store to buy a new phone," - Lookout
The discovered app infections were concentrated in "United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia," a series of countries where Apple is already experiencing significant switcher growth from Android.
Tim Cook specifically noted Indonesia and India among the emerging markets where he said he was "really impressed last quarter with our progress."
Apple's iPhone has previously had limited exposure in India, where according to a recent report by the Financial Times, it has maintained just 1 to 2 percent share of smartphone by units (albeit a 10 percent share by value).
An attack on the permissive software model of Android
The contaminated apps Lookout found were harvested from Google Play, infected with a payload and then republished on third party app sites enabled by Google's open app model allowing Android users to find and download apps from multiple stores.Apple has repeatedly maintained that Android's permissive software installation "features" were a security risk, but Android's architects, partners and enthusiast users denied this while portraying Apple's App Store model--providing a single, vetted source for iOS apps--as being an unnecessarily restrictive "Walled Garden."
In addition to being a problem for individuals, Lookout also noted that the auto-rooting malware is a special concern for business users, "especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app.
"In this rooted state, an everyday victim won't have the proper interface to control what apps on the phone request root access. The problem here is that these apps may gain access to data they shouldn't have access to, given their escalated privileges."
Google's Android software model not only facilitates the increasingly large business of copying legitimate apps and distributing them with a malware payload, but also makes Android a ripe platform for piracy and counterfeiters, a reality that has hurt its ability to foster legitimate commercial app development.
The current problems posed by Shedun, Shuanet and ShiftyBug are difficult for Google to address because it has no effective control over third party app stores, apart from advising Android users not to use them--after spending years claiming that third party stores would be a feature, not a peril.
It's also a defamation problem for legitimate app developers, as many users won't understand why legitimate-appearing software, branded as coming from Facebook, known game developers or even Google, is damaging their phone to the point of requiring a replacement.
"We believe more families of adware trojanizing popular apps will emerge in the near future and look to dig its heels into the reserved file system to avoid being removed," Lookout noted.
Apple has continued to block efforts to root iPhones, addressing jailbreak exploits in new releases of iOS that make it increasingly difficult--and increasingly unpopular--to seek apps from any source outside of the official App Store. That's enabled the company to address problems quickly by banning apps that overstep Apple's curation policies, including malware and data collection, as it recently did to contain XcodeGhost.
Comments
The advice to stick to the official Google Play Store and not to disable default security settings just got another big boost.
I don't believe that's at all accurate. On the contrary Google has long recommended that users not disable 3rd party app blocking. And of course why wouldn't they if not any other reason than they make a profit from Google Play and zilch from other Android app stores. I think DED has confused some fan comments for Google's position on it.
Ok, just so I'm straight -- its only a potential problem for android apps that aren't sourced from GooglePlay? I don't use an android myself, but I want to know so I can correctly inform friends who do. i.e. If I tell them to only download from GooglePlay, that solves the potential problem?
LOL! Talk about timing! Several posts concerning security today, many of them mine, and this makes a great topper.
The advice to stick to the official Google Play Store and not to disable default security settings just got another big boost.
Wait, but for years all we've been hearing from Android evangelizers is that the massive advantage of Android is 3rd party appstores, being able to customize the OS, remove all security barriers, etc, and that's the primary reason for going that way. iOS is so horrible because it's a "walled garden", and Android is so awesome because of stuff like this. Now, the advise is to pretend that capability doesn't exist?
Same rules as OS X, don't download and install anything from dodgy websites.
Many of these third party sites are not considered "dodgy" but rather the localized versions of Google Play, where its common to get their apps in those countries.
Google explicitly sold the "openness" of Android's app distribution as a feature. A variety of alt android app markets have attempted to erect a walled garden like Amazon.
LOL! Talk about timing! Several posts concerning security today, many of them mine, and this makes a great topper.
The advice to stick to the official Google Play Store and not to disable default security settings just got another big boost.
I don't believe that's at all accurate. On the contrary Google has long recommended that users not disable 3rd party app blocking. And of course why wouldn't they if not any other reason than they make a profit from Google Play and zilch from other Android app stores. I think DED has confused some fan comments for Google's position on it.
You are incorrect. Do some reading about how Google positioned Android across its first 7 years if you have forgotten it all.
Android's largest market is China, where there isn't any access to Google Play at all.
EDIT: I see you added to your post after the fact. I assume you aren't referring to Google Android then when talking about it's largest market.
As for China are you referring to Google Android or "other".
Oh I do read. A lot. Do you have a single example over the past 5 years of Google suggesting 3rd party app stores are a plus, or even promote disabling the default security settings as a great feature?
As for China are you referring to Google Android or "other".
I happen to know you are really good at googling stuff on your own.
It's not even controversial that Google promoted open access to any app stores as a primary feature of Android. That only was backpedaled after it blew up into a security nightmare. You were making excuses for it all the way, don't you remember?
Also, any form of Android, whether ASOP or Nexus branded or whatever, has no access to Google Play in China. Everything Google is blocked in China.
What's happening with the XcodeGhost issue? The webpage that Apple published http://www.apple.com/cn/xcodeghost/#english says to check back as it will be updated but its been about 5 weeks with no update.
I'm not suggesting Google did or does everything the way it should be. Heck, they're constantly changing things, and the more they do the closer they get to handling appstores and security more like Apple has for some time. They're even gradually coming around to understand Apple's control over chipset designs used with their OS is a big advantage and looking into doing the same with Android. Apple may have gone just a tad far with "lock-in" or maybe not. From a revenue standpoint they nailed it. Opening it up a little probably wouldn't add a penny to their coffers, while too much openness in Android does create problems Apple doesn't have to worry about.
What is plain as day is that Google's original vision for Android7 years ago hasn't worked out like they assumed. But writing they've promoted 3rd party app stores or disabling security as a great feature for years is, and this is being charitable, taking a very large literary license IMHO sir. Instead it's It's been years since they have. FWIW Google should put up bigger fences as far as I'm concerned, so on that we're probably in agreement.
I read every article you write here and learn something from nearly every one of them. Going overboard with fluffing the facts and mixing in unrelated side issues sometimes makes it hard to separate wheat from chaff, but that's me. It's plain that many here like your style and you have enthusiastic fans. I get it. No matter, I'll continue to read every article you write.
It's the best place to ride out the Android apocalypse.
What's happening with the XcodeGhost issue? The webpage that Apple published http://www.apple.com/cn/xcodeghost/#english says to check back as it will be updated but its been about 5 weeks with no update.
Issue was fixed a while ago. Apple removed the infected apps shortly after xcodeghost was discovered. The developers of the infected apps were idiots for downloading counterfeit copies of xcode and not downloading from Apple.
It's the best place to ride out the Android apocalypse.
"Android Apocalypse" definitely sounds right. After all, Android defenders basically have zero brains to begin with to support such a wretched, botched OS.
I'm afraid we might have to raise the FUD flag. It's very easy to determine if your device has been rooted and not that difficult to unroot the device and reinstall the firmware. Claiming you have to replace the device is hysterical nonsense.
EDIT: This is the most recent security post about it.
https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html