A band of researchers have discovered a new strain of Android malware that is nearly impossible to remove from mobile devices. Furthermore, it has the capability of rendering smartphones vulnerable to harmful root exploits. What is worse is that the Android malware has the ability to mask itself as one of the many mobile apps supplied from Facebook, Twitter, and even Okta, a two factor authentication service.
The researchers hail from Lookout, a mobile security firm, and they have made their discovery known via a post published in their official blog. They have determined that there over 20,000 samples of trojanized mobile apps that try to mimic the code or other features found in official mobile apps in Google Play and then are offered to third party markets. In the eyes of mobile users, these repackaged apps look just like the original ones, even displaying similar functionality and interface. But secretly, these apps make use of devious exploits that gain root access to the Android platform. Found in three app families (namely Shedun, Shuanet, and ShiftyBug), these exploits let modified apps install themselves as system apps, which gives them high privilege status, giving them generous leeway to cause some serious damage.
According to the Lookout researchers, these apps may seem to only display ads, but are actually capable of far more dangerous stuff. In sandboxing setups, for example, apps on Android are not allowed to access passwords and other information. But when given root access, apps can bypass such security measures, which makes these repackage apps all the more dangerous.
Moreover, these modified apps make use of multiple root exploits, which means that they can attack a smartphone depending on its specific vulnerabilities. For example, ShiftyBug utilizes at least eight different root exploits, with names such as Memexploit, Framaroot, and ExynosAbuse. Many of them are actually easily available, and are often used by legit services in order to let mobile users to root their Android handsets so that they can bypass limitations set by phone makers or wireless carriers.
As determined by the researchers, hackers download apps from Google Play and then modify them with malicious code before distributing them to third party websites. The researchers have found that the highest number of cases are in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.
As far as Lookout knows, none of the modified mobile apps have entered Google Play yet. But even Google Play is not completely immune to harmful apps, despite its pretty impressive security measures. As a matter of fact, several breaches happen on a yearly basis, even on Google Play, and it is imperative that people become aware that such dangerous apps are out there.
