Root 5.0.2 AH

Lookout Researchers Find New Auto-Rooting Adware

November 5, 2015 - Written By Tom Dawson

A lot of Android users swear by having root access, essentially the equivalent of superuser, or admin rights on Linux machines. Being able to get access to whatever you want on your smartphone is great and all, and root access gives us users ability to change a lot about our overall Android experience. As it turns out however, root access can be used to take over your device and ruin your experience, or at least this is what Lookout researcher have find out.

In a blog post earlier this week, Lookout published a new report that says they’ve found “20,000 samples” of auto-rooting adware, malware that infiltrates official-looking apps like Candy Crush, Twitter, Facebook and others. The code then auto-roots your device in the background, and installs itself as system-level applications. Modders and tweakers of Android will know system-level apps to be notoriously difficult to remove if you don’t know what you’re doing, or don’t have root access yourself, and this is where the problem lies. Lookout found three major strains, dubbed Shedun, Kemoge (which Lookout refer to as ShiftyBug) and Shaunet. These three families of trojans all behave in a similar fashion, and they ship with a number of different exploits to root software from all sorts of different smartphone manufacturers.

Lookout says that of the 20,000 examples of these apps found, they were mostly found in regions such as the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia. The Root exploited used were Framaroot, ExynosAbuse and Memexploit. Those familiar will know that these three root exploits cover a wide range of different manufacturers and can root almost any version of Android. The reason devices are getting infected is, once again, down to users using third-party app stores outside of the Google Play Store. Legitimate apps like WhatsApp and others are being repackaged with these exploits and the adware rolled in, leaving users thinking they’ve downloaded a legitimate piece of software, when really they’ve been victim of one nasty trojan horse.

This problem gets worse when we consider how difficult these apps can be to remove. As they become system-level apps, Lookout says that many users simply have no other choice but to purchase a replacement device to get away from the software. As always, use nothing but the Google Play Store and if something seems even remotely illegitimate, then it probably is.