Security business Lookout have announced on a blog post a new threat to the Android ecosystem: applications that are able to automatically root your device and install themselves, and others, deep into the operating system. However, Lookout reports that they haven't discovered a handful of applications able to do this but instead their systems have discovered twenty thousand modified applications containing the necessary code to root your device and deliver their malicious content. Because these applications compromise your operating system integrity and give applications elevated permissions, they are not removed with a factory reset and linger on. Users with a compromised device must either reflash the operating system (or return the device to the carrier or manufacturer in order to have it reflashed) or modify system files via ABD. Or, as Lookout says, to simply replace the device.
The modified, or bogus, applications usually have the same name and icon as the real deal, but either appear not to work or work as normal. Behind the scenes, both applications quickly go to work on the device, using well known root exploit tricks to circumvent your device's normal security systems. Currently, the infected applications install ad-pushing technologies onto the device, but there is significant potential here to install other, more malicious applications. One example of this is how third party applications are not normally able to access files created by other third party applications, but with system permission, an application can do whatever it wants on your device. This means that any and all data on the device could be compromised. Lookout's blog details the three families of adware as Shuanet, ShiftyBug (Kemoge) and GhostPush (or Shedun) and their research shows that these three applications are linked, containing similar mechanisms to root the device. Lookout's research points towards there being a highly organised system of infecting applications and waiting for users to download and install, noting that antivirus applications have been excluded from being infected.
Although most of the compromised applications are on alternative application stores to Google Play, Lookout explain that it is a global issue as some of the highest infection rates are in developed smartphone markets, citing Germany and the United States of America. The issue isn't limited to those parts of the world where the Google Play Store is not easily accessible. Offending applications include big names such as Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter and WhatsApp. They also warn that they expect this new, specialized form of trojanized adware to gain in sophistication and popularity. Currently, Lookout's advice is for Android users to be more cautious with downloads and where we source our third party applications from.