Earlier this month Lookout revealed the existence of three adware families – Shuanet, ShiftyBug and Shedun – that secretly root Android devices and are extremely difficult to remove. They come hidden in Trojanized versions of over 20,000 popular apps, and are offered for download on third-party app markets.
Now the company researchers discovered and shared another trick that Shedun uses to install additional apps on the compromised devices: it tricks users into enabling it to control the Android Accessibility Service.
Shedun, posing as a regular app, asks the users to turn on the accessibility service, and lies to them about what the service does (it says it helps stop inactive apps).
When it gains the permission to use the accessibility service, Shedun can read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and press the install button – no physical interaction from the user is required.
The process is demonstrated in this video:
“Shedun likely uses this technique in order to increase its revenue by guaranteeing the installation and execution of advertised applications. After all, marketing companies pay more money for advertising campaigns where the user actually interacts with the application after downloading it instead of simply downloading and forgetting about it,” the researchers noted.
“In this case, Shedun takes that choice away, leaving the user angry at the advertised app that they have been forced to experience, while simultaneously taking the money from ad agencies, despite having violated their policies.”