Trojanized Android apps flood third-party stores, compromise phones

Malicious copies of the most popular Android apps are used to install persistent adware

Attackers are creating rogue versions of popular Android applications that compromise the security of devices and are extremely hard to remove.

Researchers from mobile security firm Lookout have found more than 20,000 samples of such trojanized apps. They're typically fully functional copies of top Android applications like Candy Crush, Facebook, Google Now, NYTimes, Okta, SnapChat, Twitter or WhatsApp, but with malicious code added to them.

The goal of these rogue apps is to aggressively display advertisements on devices. A scary development though is that, unlike traditional adware, they root the devices where they get installed in order to prevent users from removing them.

In the Android world, rooting a device refers to the process of obtaining administrative privileges -- the root account. An application with root access can break out of its restricted sandbox and take control over the entire device, its applications and data.

The good news is that these trojanized applications are mostly distributed through third-party app stores, so they pose no direct threat to users who only download apps from Google Play.

However, there are legitimate reasons for users to use third-party app stores, which often have apps that are not allowed in Google Play because they can't meet the store's various terms. Online gambling and porn apps are two examples.

Lookout recorded the highest number of detections for trojanized applications in countries like the U.S., Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.

The researchers identified three separate families of adware apps that automatically root devices, dubbed Shedun, Shuanet, and ShiftyBug, which they believe could be related.

The attackers behind these threats likely uses automation to repackage the most popular legitimate apps from Google Play and upload them to less-policed, third-party stores. That would explain the large sample count.

"We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities," the researchers said in a blog post.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?