: Shuanet, ShiftyBug, and Shedun. These families root the victim’s device after being installed and then embed themselves in the system partition in order to persist, even after factory reset, becoming nearly impossible to remove. We call it “trojanized adware,” because the end goal of this malware is to install secondary applications and serve aggressive advertising.

Shedun, a family of trojanized adware, is more sophisticated than many think. In addition to rooting a victim’s device, Lookout observed Shedun abusing the Android Accessibility Service for its malicious means. Using the accessibility service toolset in the delivery of malware is pretty uncommon, so we took a deeper look.Shedun takes its adware a step further. Not only does it download the unwanted apps, but it actually attempts to install them by tricking a user into enabling Shedun to control the Accessibility Service, which is designed to provide alternative ways to interact with mobile devices. Shedun does not exploit a vulnerability in the service, instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user. The video below shows a sample of Shedun doing just this. After rooting the device, Shedun (likely masquerading as a popular app or system utility), asks the user to turn on the accessibility service. The messaging is ironically misleading:“[This app] uses accessibility features to help stop inactive apps you aren’t using. You’ll see a standard privacy risk reminder, Please feel at ease about turning it on.”First, it lies about what accessibility features do (they do not help stop inactive apps, nor do they provide maximum acceleration). Then it attempts to placate the victim to “feel at ease” about turning on the service - sure, trust them, nothing to worry about.This does require some victim interaction in that she must turn on the accessibility service initially if she falls for the “feel at ease” message. But from there the installation of further apps is automatic.Shedun then shows the victim a pop-up advertisement for another application. When the victim clicks away from the pop up, the app downloads anyway. As soon as the download is complete, Shedun uses the accessibility service to automatically approve all the permissions for the app and install it--without any additional user interaction.This isn’t the first time we’ve seen a piece of malware abusing the accessibility service. A Japan-targeted threat also abused the service with the goal of surveilling its victims. Namely, it collected messages from the popular messaging service LINE, when one of these messages was read by the accessibility service.Shedun likely uses this technique in order to increase its revenue by guaranteeing the installation and execution of advertised applications. After all, marketing companies pay more money for advertising campaigns where the user actually interacts with the application after downloading it instead of simply downloading and forgetting about it. In this case, Shedun takes that choice away, leaving the user angry at the advertised app that they have been forced to experience, while simultaneously taking the money from ad agencies, despite having violated their policies. This class of malware is evolving quickly and we believe we’ll see more sophisticated families surfacing in the future.In this video, you can see Shedun's trick to get victims to enable the Accessibility Service:In this video, you can see Shedun using the Accessibility Service to automatically install an app: