More Than 20,000 Android Apps Make Themselves ‘Impossible to Remove’

Security firm finds nagging apps that serve adware and root the phone.

by Lorenzo Franceschi-Bicchierai
Nov 4 2015, 2:00pm

Image: Daniel Sancho/Flickr

It's been a few rough months for Android security.

Over the summer, a security researcher revealed that almost a billion Android phones could be hacked with just a simple multimedia message. Google later patched the bugs, but botched the patch. Then, the same researcher found more bugs, these ones leaving more than a billion phones vulnerable to hackers.

Now, researchers have discovered that more than 20,000 apps, which are distributed outside of the Google Play store, pretend to be legitimate apps such as Facebook, WhatsApp and Twitter, and are laced with malicious ads and make themselves "impossible to remove."

The researchers, who work for mobile security firm Lookout, warn that while these apps might seem like simple "adware," they're actually "trojans." And since they're programmed to automatically gain full privileges and root the device, they not only become persistent, but also open the door for other apps to get full access to the user's data.

"Once you have root access on the phone you can really do anything you want," Michael Bentley, Lookout's head of research and response, told Motherboard. "The front door is now unlocked."

"The front door is now unlocked."

In this case, the apps have the goal of pushing ads and generating revenue for their creators, but there's nothing that's preventing them from having more nefarious goals, such as spying on the user. The apps not only pretend to be legitimate apps, they recreate the apps' functionalities. So the fake Facebook app doesn't just have a Facebook icon, it's a working app that also serves ads, and roots the phone, according to Lookout.

This way, even if the user tries to factory reset the device, "the infection persists," according to Bentley. At that point, the user might have to get "professional help" or get a new phone.

The malicious apps are all linked to three malware families known as Shuanet, Shedun, and ShiftyBug. Lookout has not identified the actors behind this adware campaigns, but they believe they share techniques and code.

"The implementation is so similar that it's exceptionally unlikely that they're unique," Bentley said.

Users should be careful what they download, and avoid third party app stores as much as possible.

For Android users, the good news is that these malicious apps are only being distributed on third-party app stores, not the official Google Play store. So the best way to avoid being infected by them is to stick to Google Play if you can.

Yet, many have been infected already. In fact, there have been "thousands" of infections all over the world, from the United States to Germany, Iran, and India, according to Lookout.

While these apps are not as dangerous as spyware designed to steal your banking credentials, users should be careful what they download, and avoid third party app stores as much as possible.