nearly impossible to remove android adware

[Bsmith]

 

source:

http://arstechnica.com/security/2015/11/new-type-of-auto-rooting-android-adware-is-nearly-impossible-to-remove/

Although I'm not really set on which brand to use regarding phones or tablets, articles like this always give me a harder time to keep trust in Android, although google (hopefully) always does it's best with new android versions.

 

 

Researchers have uncovered a new type of Android adware that's virtually impossible to uninstall, exposes phones to potentially dangerous root exploits, and masquerades as one of thousands of different apps from providers such as Twitter, Facebook, and even Okta, a two-factor authentication service.

The researchers have found more than 20,000 samples of trojanized apps that repackage the code or other features found in official apps available in Google Play and then are posted to third-party markets. From the end user's perspective, the modified apps look just like the legitimate apps, and in many cases they provide the same functionality and experience. Behind the scenes, however, the apps use powerful exploits that gain root access to the Android operating system. The exploits—found in three app families known as Shedun, Shuanet, and ShiftyBug—allow the trojanized apps to install themselves as system applications, a highly privileged status that's usually reserved only for operating system-level processes.

"For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone," researchers from mobile security firm Lookout wrote in a blog post published Wednesday. "Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy."

The Lookout researchers said the apps appear to do little more than display ads, but given their system-level status and root privileges, they have the ability to subvert key security mechanisms built into Android. Under a model known as sandboxing, for instance, Android apps aren't permitted to access passwords or most other data available to other apps. System applications with root, by contrast, have super-user permissions that allow them to break out of such sandboxes. From there, root-level apps can read or modify data and resources that would be off limits to normal apps.

"At first, we wondered why someone would infect an enterprise two-factor authentication app in order to serve ads, neglecting the opportunity to harvest and exfiltrate user credentials," the Lookout researchers wrote. "However, looking at the distribution portion of the command and control server, it appears that these families programmatically repacked thousands of popular apps from first-tier app stores like Google Play and its localized equivalents. Curiously, antivirus apps appear to have been specifically excluded, suggesting a high level of planning when creating these malware campaigns."

After the apps are downloaded from Google Play, they're repackaged with the malicious code and distributed on third-party websites. Lookout is seeing the highest number of detections in the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia. The report is the latest to underscore the risks of using third-party markets. There are no indications that any of the trojanized apps have made their way into Google Play. Such breaches happen several to dozens of times per year, however, and could prove especially damaging if they included the types of apps Lookout has found.

In many cases, the apps use multiple root exploit so they can be tailored to the vulnerabilities present in the specific phone being infected. ShiftyBug, for instance, is equipped with at least eight separate root exploits. With names including Memexploit, Framaroot, and ExynosAbuse, many of the exploits are publicly available and are often used by legitimate services that allow Android users to root their devices so they can overcome limitations imposed by carriers or manufacturers.

It's not clear what the precise relationship is among the three adware families responsible for the 20,000 adware samples observed by Lookout. Variants from the different groups share anywhere from 71 percent to 82 percent of the same code. "It's clear the three have at least heard of each other," the Lookout researchers concluded.

(text might be wrong for nightheme users, "paste a text" option ain't working. seems fine here, no worries.

 

Fot the people that wonder how the heck it's possible for malware to overwrite the boot loader. If the person commenting is indeed one of the researchers commited to this then I dare to say it's legit, but on the otherhand this is the internet after all. Although the explanation makes sense

 

thanks to @aesrock for pointing out this was on the arstechnica site in the comments

 

well, this aint that good TBH....

Gotta check my nexus now quickly, Im carefull with it and it aint rooted and i use the official store only... but still better safe then sorry.

 

edit:

added picture and changed text position of source, now back to cooking food.

 

edit2:

added section with clarification regarding boatloader overwriting.

added more text outside the quote.

[Bsmith]

repost ? http://linustechtips.com/main/topic/479545-android-auto-rooting-malware/, probably

 

that one got locked for not following the rules, this one is a correction of that.

[NickTheMajin]

Further reason why I switched to iPhone a couple years ago and probably won't ever go back.

[Bittenfleax]

And all the people laugh about us iPhone users...

[dfsdfgfkjsefoiqzemnd]

Further reason why I switched to iPhone a couple years ago and probably won't ever go back.

 

Those get viruses too, just not as many because the market share is too small to make it interesting to write exploits for them. 

[Murdoch]

"For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone"

 

Am I missing something here, or is that like saying "if your PC gets a virus you might have to buy a new PC". If your phone can be rooted by some shitty autoroot hack, then I'm almost certain you'll be able to wipe and reflash the thing (fresh install).

 

EDIT: Yeah seems the guys that wrote this have clarified on a comment on the Ars website.

 

The malware roots the device, then writes a bunch of files to /system/xbin and /system/bin. Additionally the install-recovery.sh file located in /etc/ is modified so that these hidden files are executed

If the files are present in the directories listed above, the malware behavior will continue as soon as wifi is connected after a factory reset.

If a user is comfortable enough to drop a fresh ROM on there it can be removed. But not every user has that level of sophistication. If you knew what to look for you could probably also remove the files manually with root and adb.

[bchampion96]

"For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone"

 

Am I missing something here, or is that like saying "if your PC gets a virus you might have to buy a new PC". If your phone can be rooted by some shitty autoroot hack, then I'm almost certain you'll be able to wipe and reflash the thing (fresh install).

 

EDIT: Yeah seems the guys that wrote this have clarified on a comment on the Ars website.

 

My thoughts exactly. How hard can that be?

[Guest]

Time to switch back to iPhone again. Or maybe Windows Phone this time :huh: .

[projectmayhem]

Further reason why I switched to iPhone a couple years ago and probably won't ever go back.

 

 

And all the people laugh about us iPhone users...

 

 

Time to switch back to iPhone again. Or maybe Windows Phone this time :huh: .

Why?

It says these are distributed through third party sites.

 

As long as you stick to the official app store and check to make sure it is in fact the official app then you should be good to go right?

Unless of course I misunderstood the article.

 

I don't understand why someone would ever download an app from a third party.

[kuzimins]

Third party markets. That explains everything. 

[Murdoch]

Why?

It says these are distributed through third party sites.

 

As long as you stick to the official app store and check to make sure it is in fact the official app then you should be good to go right?

Unless of course I misunderstood the article.

 

I don't understand why someone would ever download an app from a third party.

 

One thing I will say, the Playstore should allow users to download a few previous versions of a particular app. I've been in the situation quite a number of times, where I've wanted to rollback an app, but have forgotten to make a backup of a previous version.

[projectmayhem]

One thing I will say, the Playstore should allow users to download a few previous versions of a particular app. I've been in the situation quite a number of times, where I've wanted to rollback an app, but have forgotten to make a backup of a previous version.

Ahh. I see.

That did not come to mind.

I can understand that, and I really do agree that it should be an option.

Especially seeing how many people are being effected as a result.

I doubt they ever would though....which pisses me off.

Well, here's hoping that one day we can.

[Bsmith]

OP related info:

added some more text to the OP and clarification regarding the process of the malware not being able to be deleted.

 

My thoughts exactly. How hard can that be?

 

Actually not that hard at all it seems, which is worrisome, but then again it are not so legal 3rd party app stores that spread this junk.

 

Time to switch back to iPhone again. Or maybe Windows Phone this time :huh: .

 

If you stay within the normal/legal play store you should be fine though, although windows phone could be a nice new experience, I heard it's incredibly stable.

 

Why?

It says these are distributed through third party sites.

 

As long as you stick to the official app store and check to make sure it is in fact the official app then you should be good to go right?

Unless of course I misunderstood the article.

 

I don't understand why someone would ever download an app from a third party.

Third party markets. That explains everything. 

 

I got a friend that uses 3rd party apps constantly, why? cuse it's free and muh pokemon emulators. so yeah it kinda explains everything.

They must be quite a thorn in google's eye when it comes to android.

 

 

One thing I will say, the Playstore should allow users to download a few previous versions of a particular app. I've been in the situation quite a number of times, where I've wanted to rollback an app, but have forgotten to make a backup of a previous version.

this doesnt sound as such a bad idea imo, along with that can they maybe also remove the fact that "update all" installs all google apps again? not that they are bad, but i don't use them(chrome, the planner etc)

[TopWargamer]

All root users be like:

 

And this is why we don't use auto root apps from the Play Store.

[Arty]

time to download MBAM for mobile...........

[Albatross]

People want to switch over to iPhone because unofficial app downloads lead to adware/problems?

 

lol okay

[AresKrieger]

010100110110111100100000011101110110100001111001001000000110010001101111011001010111001100100000011010010111010000100000011011010110000101110100011101000110010101110010