Endpoint Security , Enterprise Mobility Management / BYOD , Fraud Management & Cybercrime

Android Trojanized Adware 'Shedun' Infections Surge

Researchers Say Malware Generates $300,000 Monthly For Chinese Gang
Android Trojanized Adware 'Shedun' Infections Surge

Security firms are warning that they've seen a spike in infections tied to a virulent strain of trojanized Android adware. Known as Shedun, the malware can root smartphones, survive factory resets and install additional applications, and is a reminder of the need to install and run anti-malware software on any Android device.

See Also: 2019 Internet Security Threat Report

"Shedun is trojanized adware that roots Android devices, masquerading as legitimate apps such as Facebook, Twitter, WhatsApp and Okta's enterprise single sign-on app," says Kristy Edwards, director of security product management at mobile security firm Lookout, in a blog post.

Shedun, which first appeared in August 2015, is also known as GhostPush, HummingBad, Hummer, AndroidOS_libskin, as well as by the name of the malicious Android .APK executable file itself, which is right_core.

Researchers at security vendor Check Point Software Technologies say that they've traced HummingBad - its preferred name for the malware - to a gang of Chinese cybercriminals associated with mobile ad server company Yingmob, based in Chongqing, which is a major city in southwestern China. In a recent report, the researchers say that after a five-month investigation, they found that the gang "runs alongside [the] legitimate Chinese advertising analytics company, sharing its resources and technology," and includes "25 employees that staff four separate groups responsible for developing HummingBad's malicious components."

Android Adware: Lucrative

Business appears to be booming for Yingmob and other cybercrime-associated groups that develop similar types of malware. In the past month, Lookout says it's seen a six-time increase in the number of Shedun infections affecting devices. "We believe this is attributable to the authors building new functionality or distributing the malware in new ways," Edwards says.

Check Point says that Shedun earns Yingmob $300,000 per month, and that the gang currently has control of 10 million infected Android devices around the world. Researchers estimate that of the 200 applications that HummingBad ties into and manages, using a tracking and analytics service called Umeng, 25 percent are malicious.

Meet Shuanet, ShiftyBug, BrainTest

Shedun isn't the only player in town. Lookout says the adware is very similar to three other malware families - Shuanet, ShiftyBug and BrainTest - each of which is tough to kill. "Shedun and the related families follow a particular pattern - they are adware that silently roots devices, allowing them to remain persistent even if the user performs a factory reset," Lookout's Edwards says. "Shedun also uses its root privileges to install additional apps onto the device, further increasing ad revenue for the authors and defeating uninstall attempts."

Security experts say that the impetus for installing trojanized adware onto Android smartphones is simple: money. In many cases, this income gets generated by pushing attacker-controlled advertising to trojanized apps, but that's not the only potential revenue stream for attackers. For example, the developers behind BrainTest, who also seem to be operating from China, appear to be selling guaranteed application installations to other developers, thus also generating income for those developers, Chris Dehghanpoor, a senior security analyst at Lookout, says in a blog post.

Industrialized Adware

In November 2015, Michael Bentley, head of research and response at Lookout, warned in a blog post that the these trojanized adware families were being distributed on an industrial scale, with the greatest number of related infections being seen in the United States, followed by Germany, Iran, Russia and India.

The malware is often included in a "free" version of a popular, paid application that gets repackaged by attackers. Unlike many previous types of Android malware, which involved little more than giving malware the name and icon associated with a real app, these malware families often do provide the real application, but at a cost.

"Malicious actors behind these families repackage and inject malicious code into thousands of popular applications found in Google Play, and then later publish them to third-party app stores," Bentley said. "Indeed, we believe many of these apps are actually fully functional, providing their usual services, in addition to the malicious code that roots the device."

Enterprise Implications

Trojanized adware is a nuisance for consumers, of course, who may be driven to discard their device and start over. But it's an especial worry for businesses, since adware subverts device permissions and theoretically gives attackers access to anything on the mobile device.

"For enterprises, having rooted devices on the network is a concern, especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app," Lookout's Bentley says. "In this rooted state, an everyday victim won't have the proper interface to control what apps on the phone request root access. The problem here is that these apps may gain access to data they shouldn't have access to, given their escalated privileges."

Life After Trojanized Adware

The problem with malware that can flash a device and survive factory resets is that unless it gets blocked outright by an anti-virus app running on the device - before the malware gets a chance to install itself - it's tough to eliminate.

But nuking trojanized adware such as Shedun isn't impossible. Lookout's Dehghanpoor recommends that users "backup anything on their device they would like to save, and then re-flash a ROM supplied by the device's manufacturer."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.