Shedun

Last updated

Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet [1] [2] [3] ) targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 [4] popular Android applications. [3] [5] [6] [7] [8] Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted. [9] [10]

Avira Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day. [11] All three variants of the virus are known to share roughly ~80% of the same source code. [12] [13]

In mid 2016, arstechnica reported that approximately 10.000.000 devices would be infected by this malware [14] and that new infections would still be surging. [15] [16]

The malware's primary attack vector is repackaging legitimate Android applications (e.g. Facebook, Twitter, WhatsApp, Candy Crush, Google Now, Snapchat [17] ) [4] [18] [19] with adware included. The app which remains functional is then released to a third party app store; [20] once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation [19] ), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to root affected devices and re-flash a custom ROM. [21] [22]

In addition, Shedun-type malware has been detected pre-installed on 26 different types [23] of Chinese Android-based hardware such as Smartphones and Tablet computers. [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36]

Shedun-family malware is known for auto-rooting the Android OS [18] [37] using well-known exploits like ExynosAbuse, Memexploit and Framaroot [38] (causing a potential privilege escalation [19] [39] [40] ) [41] and for serving trojanized adware and installing themselves within the system partition of the operating system, so that not even a factory reset can remove the malware from infected devices. [42] [43]

Shedun malware is known for targeting the Android Accessibility Service, [2] [42] [44] [45] [46] [47] [48] as well as for downloading and installing arbitrary applications [49] (usually adware) without permission. [3] It is classified as "aggressive adware" for installing potentially unwanted program [50] [51] [52] applications and serving ads. [53]

As of April 2016, Shedun malware is considered by most security researchers to be next to impossible to entirely remove. [54] [55] [56] [57] [58] [59]

Avira Security researcher Pavel Ponomariov, who specializes in Android malware detection tools, mobile threat detection, and mobile malware detection automation research, [60] has published an in-depth analysis of this malware. [11]

The countries most infected by this virus were in Asia including China, India, Philippines, Indonesia and Turkey. [61]

See also

Related Research Articles

Adware, often called advertising-supported software by its developers, is software that generates revenue by automatically displaying online advertisements in the user interface or on a screen presented during the installation process.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

In computing, a Trojan horse is any malware that misleads users of its true intent by disguising itself as a standard program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.

<span class="mw-page-title-main">Cabir (computer worm)</span> First mobile phone worm

Cabir is the name of a computer worm developed in 2004 that is designed to infect mobile phones running Symbian OS. It is believed to be the first computer worm that can infect mobile phones. When a phone is infected with Cabir, the message "Caribe" is displayed on the phone's display, and is displayed every time the phone is turned on. The worm then attempts to spread to other phones in the area using wireless Bluetooth signals.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

Android is a mobile operating system based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen-based mobile devices such as smartphones and tablets. Android has historically been developed by a consortium of developers known as the Open Handset Alliance, but its most widely used version is primarily developed by Google. First released in 2008, Android is the world's most widely used operating system; the latest version, released on October 15, 2024, is Android 15.

<span class="mw-page-title-main">Malwarebytes</span> Internet security company

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

Pre-installed software is software already installed and licensed on a computer or smartphone bought from an original equipment manufacturer (OEM). The operating system is usually factory-installed, but because it is a general requirement, this term is used for additional software apart from the bare necessary amount, usually from other sources.

Rooting is the process by which users of Android devices can attain privileged control over various subsystems of the device, usually smartphones and tablets. Because Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

Avira Operations GmbH & Co. KG is a German multinational computer security software company mainly known for its Avira Free Security antivirus software. Although founded in 2006, the Avira antivirus application has been under active development since 1986 through its predecessor company H+BEDV Datentechnik GmbH. Since 2021, Avira has been owned by American software company NortonLifeLock, which also operates Norton, Avast and AVG. It was previously owned by investment firm Investcorp.

<span class="mw-page-title-main">Google Play</span> Digital application distribution service by Google

Google Play, which is also known as the Google Play Store or Play Store, is a digital distribution service operated and developed by Google. It serves as the official app store for certified devices running on the Android operating system and its derivatives, as well as ChromeOS, allowing users to browse and download applications developed with the Android software development kit and published through Google. Google Play has also served as a digital media store, with it offering various media for purchase such as books, movies, musical singles, television programs, and videogames.

Chargeware is a seemingly valid-looking mobile application used to charge a user for services without proper notification or knowledge. Often focused on Internet pornography, third-party porn apps are downloaded onto a user's mobile device, in turn infecting their phone with the malware known as Chargeware.

A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. Antivirus companies define the software bundled as potentially unwanted programs which can include software that displays intrusive advertising (adware), or tracks the user's Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software. The practice is widely considered unethical because it violates the security interests of users without their informed consent. Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks. Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

<span class="mw-page-title-main">Kingo Root</span> App to root an Android device

KingoRoot is software intended to provide root access on smartphones, tablet computers, etc. running all versions of the Android operating system from 4.1.2, available since 2013. There is another very similar Android Application with the same purpose, KingRoot launched at about the same time; the two very similarly-named applications are often confused.

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious and unwanted software. The malware appears to have been discovered in September 2015 by the security research lab at Cheetah Mobile, who subsequently developed diagnostic software to determine whether a device has been compromised. As of September 2015, twenty variants were in circulation. Latter day versions employed routines which made them harder to detect and remove.

GingerMaster is malware that affects Android operating system version 2.3. It was first detected in August 2011.

HummingBad is Android malware, discovered by Check Point in February 2016.

Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries. Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.

<span class="mw-page-title-main">Karsten Nohl</span> German cryptography expert and hacker (born 1981)

Karsten Nohl is a German cryptography expert and hacker. His areas of research include Global System for Mobile Communications (GSM) security, radio-frequency identification (RFID) security, and privacy protection.

References

  1. by @HackTheW0r1d (5 November 2015). "Shuanet, ShiftyBug and Shedun malware could auto-root your Android – HackBails". Hackbails.wordpress.com. Retrieved 2 October 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)
  2. 1 2 "Android Adware Abuses Accessibility Service to Install Apps". SecurityWeek.com. 20 November 2015. Retrieved 20 April 2016.
  3. 1 2 3 Manish Singh (23 November 2015). "New Android Adware Can Download, Install Apps Without Permission: Report". NDTV Gadgets360.com.
  4. 1 2 "Three new malware strains infect 20k apps, impossible to wipe, only affect Android". AppleInsider Forums. 5 November 2015.
  5. Eran, Daniel (5 November 2015). "Three new malware strains infect 20k apps, impossible to wipe, only affect Android". Appleinsider.com. Retrieved 2 October 2016.
  6. "Android Malware On The Loose: Shuanet, ShiftyBug And Shedun Signatures Found On 20,000 Apps Outside Google Play Store". Droid Report.
  7. "Shedun Trojan goes solo". Darkmatters. Archived from the original on 8 April 2016. Retrieved 18 April 2016.
  8. "Popular Mobile Apps Repackaged with Trojans". Lavasoft. 4 November 2015. Retrieved 2 October 2016.
  9. "Another month, another new rooting malware family for Android". blog.elevenpaths.com. Archived from the original on 10 October 2016. Retrieved 9 October 2016.
  10. "DIY Attribution, Classification, and In-depth Analysis of Mobile Malware". Check Point Blog. 11 July 2016. Retrieved 9 October 2016.
  11. 1 2 "Shedun: adware/malware family threatening your Android device". Avira Blog. 3 September 2015.
  12. "Neue Welle von Android-Malware lässt sich kaum mehr entfernen". Elektronikpraxis.vogel.de. Archived from the original on 15 February 2017. Retrieved 20 April 2016.
  13. PMK Presse, Messe & Kongresse Verlags GmbH. "Gemeinsamkeiten: Shuanet, Shedun & ShiftyBug". Itseccity.de. Retrieved 20 April 2016.
  14. Dan Goodin - Jul 7, 2016 5:50 pm UTC (7 July 2016). "10 million Android phones infected by all-powerful auto-rooting apps". Ars Technica. Retrieved 2 October 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)
  15. "Android Trojanized Adware 'Shedun' Infections Surge". Bankinfosecurity.com. 8 July 2016. Retrieved 2 October 2016.
  16. "Android Trojanized Adware 'Shedun' Infections Surge". www.linkedin.com.
  17. "Android-Malware: Adware war gestern. Android-Trojaner auf dem Vormarsch". botfrei Blog. 9 November 2015.
  18. 1 2 "New type of auto-rooting Android adware is nearly impossible to remove". Ars Technica. 4 November 2015.
  19. 1 2 3 Michael Mimoso (4 November 2015). "Shuanet Adware Roots Android Devices - Threatpost - The first stop for security news". Threatpost - The first stop for security news.
  20. "Adware Shedun nistet sich gegen den Willen der Nutzer in Android ein". ITespresso.de. 23 November 2015.
  21. "Android Trojan Software Morphs Into Real Apps, Nearly Impossible To Remove From Device's System: Report". Yibada.
  22. "Android-Malware: Neue Schadsoftware rootet Geräte und ist kaum zu entfernen - Golem.de".
  23. Swati Khandelwal (3 September 2015). "26 Android Phone Models Shipped with Pre-Installed Spyware". The Hacker News.
  24. "G Data : Mobile Malware Report" (PDF). Public.gdatasoftware.com. Archived from the original (PDF) on 15 February 2017. Retrieved 20 April 2016.
  25. Catalin Cimpanu (4 September 2015). "24 Chinese Android Smartphone Models Come with Pre-Installed Malware". softpedia.
  26. David Gilbert (12 November 2015). "Amazon Selling $40 Android Tablets That Come With Pre-Installed Malware". International Business Times.
  27. "Chinese smartphones infected with pre-installed malwareSecurity Affairs". Security Affairs. 2 September 2015.
  28. "Chinese Android smartphones now shipping with pre-installed malware". SC Magazine. Archived from the original on 7 May 2016. Retrieved 18 April 2016.
  29. Diane Samson. "Malware Found Pre-Installed on Xiaomi, Huawei, Lenovo Phones". iDigitalTimes.com. Archived from the original on 23 August 2016. Retrieved 18 April 2016.
  30. "Amazon's $40 Chinese Android Tablets Infected With Pre-Installed Malware". Design & Trend. Archived from the original on 15 February 2017. Retrieved 18 April 2016.
  31. Jeremy Kirk (5 March 2014). "Pre-installed malware found on new Android phones". Computerworld.
  32. "G Data : Mobile Malware Report" (PDF). Public.gdatasoftware.com. Archived from the original (PDF) on 10 March 2016. Retrieved 20 April 2016.
  33. Waqas (14 November 2015). "Amazon Store, a safe haven for Android Tablets with pre-installed malware". HackRead.
  34. "Pre-Installed Android Malware Raises Security Risks in Supply Chain". October 2021.
  35. "Some Android Phones Come With Malware Pre-Installed: Report". The Huffington Post. Archived from the original on 30 May 2016. Retrieved 18 April 2016.
  36. "Brand New Android Smartphones Coming with Spyware and Malware". WCCFtech. 4 September 2015.
  37. "Trojan adware on Android can give itself root access". The Tech Report. 5 November 2015.
  38. "Shedun, Shuanet und Shiftybug: Android-Smartphone vor Malware schützen".
  39. "Android-Nutzer: Achtung vor Trojaner-Adware Shedun - Check & Secure -". - Check & Secure -.
  40. "New Android adware tries to root your phone so you can't remove it". ExtremeTech. 5 November 2015.
  41. "More than 20,000 apps auto-root Android devices". SC Magazine UK. 30 January 2022.
  42. 1 2 "Android's accessibility service grants god-mode p0wn power". The Register .
  43. "Trojanized adware family abuses accessibility service to install whatever apps it wants | Lookout Blog". Blog.lookout.com. 19 November 2015. Retrieved 10 April 2016.
  44. "Shedun trojan adware is hitting the Android Accessibility Service". Theinquirer.net. Archived from the original on 20 November 2015. Retrieved 20 April 2016.
  45. "Shedun adware can install any malicious mobile appSecurity Affairs". Security Affairs. 22 November 2015.
  46. Shedun gaining accessibility service privileges. 18 November 2015 via YouTube.
  47. Dennis Schirrmacher (20 November 2015). "Android-Malware: Werbeterror wie von Geisterhand". Security.
  48. "Der Adware – Trojaner Shedun". trojaner-info.de. 6 December 2015.
  49. Swati Khandelwal (20 November 2015). "This Malware Can Secretly Auto-Install any Android App to Your Phone". The Hacker News.
  50. "Trojaner-Adware installiert selbstständig ungewollte Android-Apps". Areamobile.de. Retrieved 20 April 2016.
  51. "Shedun: Neue Android-Adware installiert Apps ohne deine Einwilligung". Androidmag. 25 November 2015.
  52. John Woll (23 November 2015). "Installation auch nach Ablehnung: Neue dreiste Android-Adware".
  53. "Android Shedun Malware: New Malware That Can Grant Access to Your Phone; Malware Impossible To Be Removed?". Yibada.
  54. "Gefährliche Android-Schadsoftware: Oft hilft nur neues Gerät". Noz.de. 9 November 2015. Retrieved 20 April 2016.
  55. "Shedun trojan adware is hitting the Android Accessibility Service". The Inquirer . 20 November 2015. Archived from the original on 20 November 2015. Retrieved 10 April 2016.
  56. "Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire | Lookout Blog". Blog.lookout.com. 4 November 2015. Archived from the original on 19 February 2017. Retrieved 10 April 2016.
  57. "Shuanet, ShiftyBug and Shedun malware could auto-root your Android". Betanews.com. 5 November 2015. Retrieved 10 April 2016.
  58. "New Family Of Android Malware Virtually Impossible To Remove: Say Hello To Shedun, Shuanet And ShiftyBug : PERSONAL TECH". Tech Times. 9 November 2015. Retrieved 10 April 2016.
  59. Goodin, Dan (19 November 2015). "Android adware can install itself even when users explicitly reject it". Ars Technica. Retrieved 10 April 2016.
  60. "Pavel Ponomariov - Avira Blog". Avira Blog. Archived from the original on 20 April 2016. Retrieved 18 April 2016.
  61. Schwartz, Mathew J. "Android Trojanized Adware 'Shedun' Infections Surge". bankinfosecurity.com.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.