Trojanized versions of 20,000 popular apps found secretly rooting Android devices

Lookout researchers have discovered some 20,000 apps that secretly root users’ phone and install themselves as system applications, which makes them able to access information on the device they usually wouldn’t have access to, and makes them nearly possible to remove.

The apps are usually Trojanized version of popular, legitimate Android apps – Facebook, Twitter, WhatsApp, Snapchat, Candy Crush, etc. – that function as the original ones, but also contain malicious exploit code that roots the device. These Trojanized versions are then offered for download on third-party app markets.

The exploits have been found in three app families: Shuanet, Shedun (aka GhostPush), and ShiftyBug (aka Kemoge). The 20,000 Trojanized apps belong to one of these families. “The highest detections for these three families together are in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia,” the researchers shared.

They also pointed out that their authors might not be the same, but they are associated in some capacity.

“We found that some variants from these families have 71 percent to 82 percent code similarity, meaning that the authors used the same pieces of code to build their versions of the auto-rooting adware. It’s clear the three have at least heard of each other,” they noted. The three families also share (publicly available) exploits such as Memexploit and Framaroot.

“The act of rooting the device in the first place creates additional security risk for enterprises and individuals alike, as other apps can then get root access to the device, giving them unrestricted access to files outside of their domain,” they explained. “Usually applications are not allowed to access the files created by other applications, however with root access, those limitation are easily bypassed.”

So far, the apps’ only potentially malicious behaviour is to show ads to users, but that could easily change, and they could, for example, be made to collect and exfiltrate sensitive information.

Removing the apps in question is difficult for users who are not tech savvy. The researchers advise them to either get help from professionals, or to consider buying a new device.

Share this
You are reading

Trojanized versions of 20,000 popular apps found secretly rooting Android devices