After the Ghost Push and Kemoge virus families were exposed by CMSecurity and FireEye Labs last month, another adware is disturbing the Android force. The said virus doesn’t ask for money but rather automatically roots the mobile device after installation of the “app”. The malware can’t be removed as it disguises itself as a system application. The only workaround is either you go to a pro fixer or buy a new device.
According to Lookout, this particular app is more sophisticated than it seems. It’s an adware alright, supposed to be just pushing annoying ads like the first two we mentioned , but it can now be considered more of a trojan now. It looks harmless like any other app but it can ruin the system once embedded.
The apps contain malicious codes that damage the phone by rooting it. It won’t bother the user as much but will just root the device silently. Deleting the app seems impossible and can only be done by professionals. While rooting may be “harmless” for some Android users, it poses great security risk because that means anyone can easily access the device. Permissions may be bypassed without the user knowing it.
More than 20,000 samples disguised as popular apps have been detected. Mostly, these are popular ones posing as legitimate apps like Facebook, Google Now, Snapchat, WhatsApp, Candy Crush, and NYtimes. You’ll see them like any other normal app listed on the Google Play Store but published in third-party app stores.
Lookout refers to this virus as the Shuanet, joining Ghost Push and Kemoge. These three are inter-connected trojans according to the company. These malware are masquerading as legit apps on Google Play Store and even on 3rd-party app stores. Usually, they are repackaged to trick Android users. So far, the top countries affected not only by Shuanet but also the other virus families (Kemoge and Ghost Push) are the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia as enumarated by the security firm.
CM Security earlier exclaimed that these virus families could be coming from China but there’s no real evidence yet. Lookout believe they were not created by one group only but there could be a close connection. Security researchers of the firm discovered that most of the apps they analyzed have about 71 to 82 percent similarity in code. Some exploits have been used by either of three virus families including ‘ExynosAbuse’, ‘Framaroot’, and ‘Memexploit’.
Shuanet plus Kemoge (aka Shiftybug) and GhostPush (Shedun) all bring disadvantages and harm to any device they are infecting. Developers become victims and may receive the blame. Businesses or the enterprise face huge network security problems while individual users may have to buy a new device. These people are inconvenienced.
Every Android mobile user is advised to take great precautions. Don’t just install any app especially those coming for third-party stores. If an app asks for money for access, ignore it or delete. Be wary of ransomware. Don’t click on any suspicious links from a website, ad, text message, or email. Update Android devices right away especially if it’s related to security issues and if software is released by Google and the manufacturer.