Shedun

Last updated

Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet [1] [2] [3] ) targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 [4] popular Android applications. [3] [5] [6] [7] [8] Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted. [9] [10]

Avira Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day. [11] All three variants of the virus are known to share roughly ~80% of the same source code. [12] [13]

In mid 2016, arstechnica reported that approximately 10.000.000 devices would be infected by this malware [14] and that new infections would still be surging. [15] [16]

The malware's primary attack vector is repackaging legitimate Android applications (e.g. Facebook, Twitter, WhatsApp, Candy Crush, Google Now, Snapchat [17] ) [4] [18] [19] with adware included. The app which remains functional is then released to a third party app store; [20] once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation [19] ), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to root affected devices and re-flash a custom ROM. [21] [22]

In addition, Shedun-type malware has been detected pre-installed on 26 different types [23] of Chinese Android-based hardware such as Smartphones and Tablet computers. [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36]

Shedun-family malware is known for auto-rooting the Android OS [18] [37] using well-known exploits like ExynosAbuse, Memexploit and Framaroot [38] (causing a potential privilege escalation [19] [39] [40] ) [41] and for serving trojanized adware and installing themselves within the system partition of the operating system, so that not even a factory reset can remove the malware from infected devices. [42] [43]

Shedun malware is known for targeting the Android Accessibility Service, [2] [42] [44] [45] [46] [47] [48] as well as for downloading and installing arbitrary applications [49] (usually adware) without permission. [3] It is classified as "aggressive adware" for installing potentially unwanted program [50] [51] [52] applications and serving ads. [53]

As of April 2016, Shedun malware is considered by most security researchers to be next to impossible to entirely remove. [54] [55] [56] [57] [58] [59]

Avira Security researcher Pavel Ponomariov, who specializes in Android malware detection tools, mobile threat detection, and mobile malware detection automation research, [60] has published an in-depth analysis of this malware. [11]

The countries most infected by this virus were in Asia including China, India, Philippines, Indonesia and Turkey. [61]

See also

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Trojan horse (computing)</span> Type of malware

In computing, a Trojan horse is any malware that misleads users of its true intent by disguising itself as a standard program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.

<span class="mw-page-title-main">Cabir (computer worm)</span>

Cabir is the name of a computer worm developed in 2004 that is designed to infect mobile phones running Symbian OS. It is believed to be the first computer worm that can infect mobile phones. When a phone is infected with Cabir, the message "Caribe" is displayed on the phone's display, and is displayed every time the phone is turned on. The worm then attempts to spread to other phones in the area using wireless Bluetooth signals.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

<span class="mw-page-title-main">Android (operating system)</span> Mobile operating system

Android is a mobile operating system based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. Android is developed by a consortium of developers known as the Open Handset Alliance, though its most widely used version is primarily developed by Google. It was unveiled in November 2007, with the first commercial Android device, the HTC Dream, being launched in September 2008.

<span class="mw-page-title-main">Malwarebytes</span> Internet security company

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

Pre-installed software is software already installed and licensed on a computer or smartphone bought from an original equipment manufacturer (OEM). The operating system is usually factory-installed, but because it is a general requirement, this term is used for additional software apart from the bare necessary amount, usually from other sources.

Rooting is the process by which users of Android devices can attain privileged control over various subsystems of the device, usually smartphones. Because Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.

<span class="mw-page-title-main">Mobile security</span> Security risk and prevention for mobile devices

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

<span class="mw-page-title-main">Google Play</span> Digital distribution service by Google

Google Play, also known as the Google Play Store and formerly Android Market, is a digital distribution service operated and developed by Google. It serves as the official app store for certified devices running on the Android operating system and its derivatives, as well as ChromeOS, allowing users to browse and download applications developed with the Android software development kit (SDK) and published through Google. Google Play has also served as a digital media store, offering games, music, books, movies, and television programs. Content that has been purchased on Google Play Movies & TV and Google Play Books can be accessed on a web browser and through the Android and iOS apps.

Chargeware is a seemingly valid-looking mobile application used to charge a user for services without proper notification or knowledge. Often focused on Internet pornography, third-party porn apps are downloaded onto a user's mobile device, in turn infecting their phone with the malware known as Chargeware.

A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. Antivirus companies define the software bundled as potentially unwanted programs which can include software that displays intrusive advertising (adware), or tracks the user's Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software. The practice is widely considered unethical because it violates the security interests of users without their informed consent. Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks. Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

Brain Test was a piece of malware masquerading as an Android app that tested the users IQ. Brain Test was discovered by security firm Check Point and was available in the Google Play app store until 15 September 2015. Check Point described Brain Test as "A new level of sophistication in malware".

<span class="mw-page-title-main">Kingo Root</span> App to root an Android device

KingoRoot is software intended to provide root access on smartphones, tablet computers, etc. running all versions of the Android operating system from 4.1.2, available since 2013. There is another very similar Android application with the same purpose, KingRoot launched at about the same time; the two very similarly-named applications are often confused.

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious and unwanted software. The malware appears to have been discovered in September 2015 by the security research lab at Cheetah Mobile, who subsequently developed diagnostic software to determine whether a device has been compromised. As of September 2015, twenty variants were in circulation. Latter day versions employed routines which made them harder to detect and remove.

GingerMaster is malware that affects Android operating system version 2.3. It was first detected in August 2011.

HummingBad is Android malware, discovered by Check Point in February 2016.

Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries. Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.

References

  1. by @HackTheW0r1d (5 November 2015). "Shuanet, ShiftyBug and Shedun malware could auto-root your Android – HackBails". Hackbails.wordpress.com. Retrieved 2 October 2016.
  2. 1 2 "Android Adware Abuses Accessibility Service to Install Apps". SecurityWeek.com. Retrieved 20 April 2016.
  3. 1 2 3 Manish Singh. "New Android Adware Can Download, Install Apps Without Permission: Report". NDTV Gadgets360.com.
  4. 1 2 "Three new malware strains infect 20k apps, impossible to wipe, only affect Android". AppleInsider Forums.
  5. Eran, Daniel (5 November 2015). "Three new malware strains infect 20k apps, impossible to wipe, only affect Android". Appleinsider.com. Retrieved 2 October 2016.
  6. "Android Malware On The Loose: Shuanet, ShiftyBug And Shedun Signatures Found On 20,000 Apps Outside Google Play Store". Droid Report.
  7. "Shedun Trojan goes solo". Darkmatters. Archived from the original on 8 April 2016. Retrieved 18 April 2016.
  8. "Popular Mobile Apps Repackaged with Trojans". Lavasoft. 4 November 2015. Retrieved 2 October 2016.
  9. "Another month, another new rooting malware family for Android". blog.elevenpaths.com. Archived from the original on 10 October 2016. Retrieved 9 October 2016.
  10. "DIY Attribution, Classification, and In-depth Analysis of Mobile Malware". Check Point Blog. 11 July 2016. Retrieved 9 October 2016.
  11. 1 2 "Shedun: adware/malware family threatening your Android device". Avira Blog. 3 September 2015.
  12. "Neue Welle von Android-Malware lässt sich kaum mehr entfernen". Elektronikpraxis.vogel.de. Retrieved 20 April 2016.
  13. PMK Presse, Messe & Kongresse Verlags GmbH. "Gemeinsamkeiten: Shuanet, Shedun & ShiftyBug". Itseccity.de. Retrieved 20 April 2016.
  14. Dan Goodin - Jul 7, 2016 5:50 pm UTC (7 July 2016). "10 million Android phones infected by all-powerful auto-rooting apps". Ars Technica. Retrieved 2 October 2016.
  15. "Android Trojanized Adware 'Shedun' Infections Surge". Bankinfosecurity.com. 8 July 2016. Retrieved 2 October 2016.
  16. "Android Trojanized Adware 'Shedun' Infections Surge". www.linkedin.com.
  17. "Android-Malware: Adware war gestern. Android-Trojaner auf dem Vormarsch". botfrei Blog. 9 November 2015.
  18. 1 2 "New type of auto-rooting Android adware is nearly impossible to remove". Ars Technica. 4 November 2015.
  19. 1 2 3 Michael Mimoso. "Shuanet Adware Roots Android Devices - Threatpost - The first stop for security news". Threatpost - The first stop for security news.
  20. "Adware Shedun nistet sich gegen den Willen der Nutzer in Android ein". ITespresso.de. 23 November 2015.
  21. "Android Trojan Software Morphs Into Real Apps, Nearly Impossible To Remove From Device's System: Report". Yibada.
  22. "Android-Malware: Neue Schadsoftware rootet Geräte und ist kaum zu entfernen - Golem.de".
  23. Swati Khandelwal (3 September 2015). "26 Android Phone Models Shipped with Pre-Installed Spyware". The Hacker News.
  24. "G Data : Mobile Malware Report" (PDF). Public.gdatasoftware.com. Archived from the original (PDF) on 15 February 2017. Retrieved 20 April 2016.
  25. Catalin Cimpanu (4 September 2015). "24 Chinese Android Smartphone Models Come with Pre-Installed Malware". softpedia.
  26. David Gilbert (12 November 2015). "Amazon Selling $40 Android Tablets That Come With Pre-Installed Malware". International Business Times.
  27. "Chinese smartphones infected with pre-installed malwareSecurity Affairs". Security Affairs. 2 September 2015.
  28. "Chinese Android smartphones now shipping with pre-installed malware". SC Magazine. Archived from the original on 7 May 2016. Retrieved 18 April 2016.
  29. Diane Samson. "Malware Found Pre-Installed on Xiaomi, Huawei, Lenovo Phones". iDigitalTimes.com. Archived from the original on 23 August 2016. Retrieved 18 April 2016.
  30. "Amazon's $40 Chinese Android Tablets Infected With Pre-Installed Malware". Design & Trend. Archived from the original on 15 February 2017. Retrieved 18 April 2016.
  31. Jeremy Kirk (5 March 2014). "Pre-installed malware found on new Android phones". Computerworld.
  32. "G Data : Mobile Malware Report" (PDF). Public.gdatasoftware.com. Archived from the original (PDF) on 10 March 2016. Retrieved 20 April 2016.
  33. Waqas (14 November 2015). "Amazon Store, a safe haven for Android Tablets with pre-installed malware". HackRead.
  34. "Pre-Installed Android Malware Raises Security Risks in Supply Chain".[ dead link ]
  35. "Some Android Phones Come With Malware Pre-Installed: Report". The Huffington Post. Archived from the original on 30 May 2016. Retrieved 18 April 2016.
  36. "Brand New Android Smartphones Coming with Spyware and Malware". WCCFtech. 4 September 2015.
  37. "Trojan adware on Android can give itself root access". The Tech Report. 5 November 2015.
  38. "Shedun, Shuanet und Shiftybug: Android-Smartphone vor Malware schützen".
  39. "Android-Nutzer: Achtung vor Trojaner-Adware Shedun - Check & Secure -". - Check & Secure -.
  40. "New Android adware tries to root your phone so you can't remove it". ExtremeTech.
  41. "More than 20,000 apps auto-root Android devices". SC Magazine UK. 30 January 2022.
  42. 1 2 "Android's accessibility service grants god-mode p0wn power". The Register .
  43. "Trojanized adware family abuses accessibility service to install whatever apps it wants | Lookout Blog". Blog.lookout.com. 19 November 2015. Retrieved 10 April 2016.
  44. "Shedun trojan adware is hitting the Android Accessibility Service". Theinquirer.net. Archived from the original on 20 November 2015. Retrieved 20 April 2016.{{cite web}}: CS1 maint: unfit URL (link)
  45. "Shedun adware can install any malicious mobile appSecurity Affairs". Security Affairs. 22 November 2015.
  46. Shedun gaining accessibility service privileges. 18 November 2015 via YouTube.
  47. Dennis Schirrmacher (20 November 2015). "Android-Malware: Werbeterror wie von Geisterhand". Security.
  48. "Der Adware – Trojaner Shedun". trojaner-info.de. 6 December 2015.
  49. Swati Khandelwal (20 November 2015). "This Malware Can Secretly Auto-Install any Android App to Your Phone". The Hacker News.
  50. "Trojaner-Adware installiert selbstständig ungewollte Android-Apps". Areamobile.de. Retrieved 20 April 2016.
  51. "Shedun: Neue Android-Adware installiert Apps ohne deine Einwilligung". Androidmag. 25 November 2015.
  52. John Woll (23 November 2015). "Installation auch nach Ablehnung: Neue dreiste Android-Adware".
  53. "Android Shedun Malware: New Malware That Can Grant Access to Your Phone; Malware Impossible To Be Removed?". Yibada.
  54. "Gefährliche Android-Schadsoftware: Oft hilft nur neues Gerät". Noz.de. 9 November 2015. Retrieved 20 April 2016.
  55. "Shedun trojan adware is hitting the Android Accessibility Service". The Inquirer . 20 November 2015. Archived from the original on 20 November 2015. Retrieved 10 April 2016.{{cite news}}: CS1 maint: unfit URL (link)
  56. "Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire | Lookout Blog". Blog.lookout.com. 4 November 2015. Retrieved 10 April 2016.
  57. "Shuanet, ShiftyBug and Shedun malware could auto-root your Android". Betanews.com. 5 November 2015. Retrieved 10 April 2016.
  58. "New Family Of Android Malware Virtually Impossible To Remove: Say Hello To Shedun, Shuanet And ShiftyBug : PERSONAL TECH". Tech Times. 9 November 2015. Retrieved 10 April 2016.
  59. Goodin, Dan (19 November 2015). "Android adware can install itself even when users explicitly reject it". Ars Technica. Retrieved 10 April 2016.
  60. "Pavel Ponomariov - Avira Blog". Avira Blog.
  61. Schwartz, Mathew J. "Android Trojanized Adware 'Shedun' Infections Surge". bankinfosecurity.com.