Lookout Discovers Trojanized Adware that Secretly Acquires Root Access

Malicious root-seeking adware found in 20,000 apps

We may earn a commission for purchases made using our links.

Publicly available root exploits are a godsend to consumers whose devices are locked. Exploits such as Towelroot easily enabled any user running on Android version KitKat and below to acquire root access with the click of a button. However, these methods are considered “exploits” for a reason.

If an application like Towelroot can exploit your device’s firmware to enable root access, what’s preventing a malicious third-party application obtaining root access by tricking you? After all, thanks to these exploits an application doesn’t have to ask the user to grant it root if it can simply enable it on its own.

OEMs constantly update their supported devices to stamp out these exploits, but often there are simply too many devices to maintain. In addition, new exploits are discovered on a regular basis (some of which we may not even be aware of!) leading to a never ending battle between hackers looking to target people’s personal and financial details and OEMs looking to protect their customers. It’s an OEMs worst nightmare to see hackers target their customers, and there’s little they can do if those hackers go after the customers that aren’t upgrading their devices or aren’t sticking to first party application stores.

Trojanized Adware

Mobile security firm Lookout has just confirmed these fears in a blog-post that unveils the widespread use of trojanized adware to automatically gain root access upon user installation. The security researchers discovered over 20,000 applications that include a form of trojanized adware, some of which masquerade as popular apps like CandyCrush, Facebook, Twitter, Snapchat, and WhatsApp. These infected applications are often ripped straight from the Google Play Store and repackaged with the adware to target unsuspecting users in third-party app stores. Unlike most annoying adware attacks that can be quelled by uninstalling the responsible app, these trojans utilize root access to install themselves as system apps, preventing their uninstallation using normal means.

Lookout’s research led it to discover three interconnected families of adware – Shuanet, Kemoge, and Shedun. Though it’s hard to say whether or not these three adware groups are directly related, it’s clear that there was at least some collaboration involved given that these adware share much of their code as well as utilizing most of the same publicly available root exploits. Lookout discovered that these adware affect users in a wide variety of areas, which is unsurprising given the large number of third-party application repositories that are out there. However, the company did not indicate whether or not any of they made their way onto the Google Play Store. That’s not to say it’s not possible though, as Lookout itself previously discovered.

What to Expect

If you’re using a current generation device and have kept your device up-to-date (whether officially or unofficially), you’re unlikely to currently be at risk to any of these exploits — especially if you are an educated user. However, as new exploits are discovered this may not hold true. The best that you can do is to only install applications from trusted sources and developers whenever possible (and no, an antivirus program such as Lookout will not be able to do much for you here). If you do fall victim to an attack by a trojanized adware, your only options to get rid of it manually is to remove the app yourself using root access or to flash the stock firmware from the manufacturer, overwriting the system partition.

This problem affects more than just the user – it has a ripple effect on the entire ecosystem. Users with compromised devices may pose a security threat to their places of employment if a malicious actor can access enterprise apps. Developers of popular apps will suffer a hit in their reputation if they get blamed for adware they had no part in spreading. OEMs will suffer from users swearing off their latest devices due to having a poor user experience for reasons they do not understand. We hope that discoveries such as this will make OEMs take security more seriously for ALL of their devices, not just their flagship ones.