A new piece of Android malware has been revealed by security firm Lookout, and it’s a clever one.
The malware in question is a type of trojan adware called Shuanet, which is masquerading as 20,000
different popular apps. Shuanet doesn’t just display ads, though.
It also attempts to root any device it is installed on, allowing the malware to survive factory resets.
Shuanet shares a lot of code with several other adware trojans that Lookout has detected recently
known as Kemoge and Shedun. What’s interesting about Shuanet is that it doesn’t seek to wreak havoc on
an infected device or clog it with other malware. This is adware first and foremost, so the goal is to
get people to use their devices and see the ads.
The malware operators are downloading the legitimate Android APKs of popular apps,
then integrating Shuanet and reposting them in third-party app stores. The thousands of apps repackaged
by Shuanet include the likes of Facebook, Snapchat, NYTimes, WhatsApp, and more.
These apps appear to function normally after being installed, so the user might not even realize
anything is wrong. Just a few annoying popup ads, but such is the price we pay for living in a
connected world, right?
ShuanetThe aspect of Shuanet that is grabbing headlines is that it roots your device,
which is sort of true. It certainly tries to root any Android device it is installed on,
but according to Lookout, it’s not using any new secret system vulnerabilities.
It’s simply a package of older community-developed exploits that enthusiast users install to gain
root access for their own enjoyment. If Shuanet successfully roots a phone, it moves the infected app
to the system partition, which means it will survive a factory reset.
The only way to remove it would be to use a root-enabled file explorer to find and remove the package.
That would be tough if you didn’t know which app was the source of the infection.
This isn’t as calamitous as it sounds at first. As we’ve mentioned in the past,
there are no universal root exploits on Android, and all of the public exploits included in
Shuanet have been patched (for example ExynosAbuse and Framaroot). Thus, a device is only vulnerable
if it’s running a rather old version of Android. Notice how the example image provided by Lookout is a
Jelly Bean phone? A newer phone wouldn’t be rooted by Shuanet, but the ad features could still work.
It’s still very hard to get infected with Shuanet. You’d have to disable installation protection,
ignore the Google security warnings, then manually install one of these apps from a shady third-party
app store instead of simply getting it from Google Play. I’m not sure who would do that,
but Lookout says it has seen it happening in the wild. It does not provide a figure for the number
of infections, though.