Mobile malware evolves: Adware now breaks and roots your phone

Adware is moving from nuisance to nasty with the discovery of over 20,000 Android apps which can root your phone, making it almost impossible to remove.

crednopsec.png
NopSec

Mobile threats just raised their game with adware-based malware which can root your device without your consent.

In the past, adware was little more than a nuisance. Whether by PC or mobile device, the only real gateway cyberattackers could take advantage of was enticing viewers to click on a banner or ad, resulting in the download of fake software or malicious applications.

Times have now changed and it may only take a victim viewing a compromised Web page for third-party apps to be installed without user consent.

The adware and advertising revenue model for mobile devices relies on eyeballs and clicks. Web marketing companies also pay out through a Cost Per Install model in which individuals can be paid every time an ad viewer downloads a sponsored app. This revenue model, however, is open for exploit -- with cyberattackers adding their own malware elements which enforce these downloads, giving them a better chance of cashing in with relatively little effort.

If hackers gain access to the root of a device, they can download whatever they please on them -- not only in order to enforce downloads of third-party apps, but also in order to conduct surveillance and steal data.

The rates of adware-based malware campaigns, known as malvertising, are low but still a threat. According to Blue Coat, five percent of mobile threats users face were through malvertising campaigns -- nothing in comparison to adult websites loading up devices with junkware and malicious code -- but techniques are refining and adware is becoming more sophisticated over time.

A new report released by Lookout says auto-rooting apps installed through malicious mobile campaigns is a recent and "worrying" development within Google's Android ecosystem. The security team revealed that adware is now becoming trojanized, with malicious adware masquerading as legitimate apps in order to load up malicious code and steal consumer data -- after rooting the victim's device to become firmly entrenched in smartphones and tablets.

The team discovered over 20,000 apps swimming around the ecosystem which appear to be legitimate in order to dupe consumers into downloading them from areas other than the Google Play store.

Repackaged and malicious apps found in the wild include Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Twitter, Snapchat and WhatsApp, to name but a few.

The cyberattackers repackage and rebuild these apps with malicious code before releasing them back into the wild and third-party app stores. The problem? It's not easy to tell what is legitimate and what isn't.

"Indeed, we believe many of these apps are actually fully-functional, providing their usual services, in addition to the malicious code that roots the device," Lookout says.

The app manipulators load trojanized adware which works silently in the background, rooting the device and burying itself in system files to make removal by the average user unlikely.

The Shuanet, Kemog -- also known as ShiftyBug -- and Shedun are adware families which Lookout has traced over the past year. While technically classified as adware, the researchers say the families can now firmly be viewed as Trojans as they are responsible for over 20,000 repackaged malicious apps alone.

While Lookout can't be sure who created the fraudulent apps, the team does assume they may be associated in some way as each family's code has a 71 percent to 82 similarity when it comes to the auto-rooting software. In addition, the three families share exploits, many of which are used in popular root enablers.

The highest detection rates are in the US, Germany, Iran, Russia and India.

The repercussions of becoming infected can be nasty. Lookout says that victims infected by Shedun, Shuanet, and ShiftyBug might end up using their smartphones as doorstops and replacing them with new mobiles entirely. As the adware roots the device and installs themselves as system files, they "become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy."

Businesses are not safe from the consequences of infection, either. If rooted devices are granted access to a corporate network, especially if legitimate apps are hijacked by the malware, the cyberattackers may be granted access to sensitive data or be able to use mobile devices as a springboard into wider network infiltration.

Unfortunately, developers may also come under fire -- while victims of the malware which repackages their apps in the first place, the blame may end up being placed at their feet, resulted in a tarnished reputation.

"We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities," Lookout says.

In related news, cybersecurity firm Fidelis revealed JSocket this week, a remote access Trojan (RAT) evolved from the AlienSpy malware which is able to infect both PCs and mobile devices. The RAT, tracked in global phishing campaigns, is able to take over legitimate Android applications and bury itself while controlling your device and stealing sensitive data.

Read on: Top picks