Last week, a new strain of trojan adware was discovered, bearing automatic device-rooting capabilities that make it almost impossible to remove from affected Android devices. This malware, dubbed Shuanet is another example of increasing sophistication in mobile threats.
Shuanet is the third family in a trilogy of recently discovered malicious adware that disguises itself as legitimate apps. The other two previously discovered in September are GhostPush and Kemoge. Together, the three variants of malware families discovered are evidently responsible for over 20,000 samples of such malware, masking as some of the top applications have been discovered. Examples include Candy Crush, Facebook, GoogleNow, NYTimes, Snapchat, Twitter, WhatsApp, and others.
The adware exploits Android vulnerabilities to automatically gain root privileges, and hides in the system directory. With root access, the malware is capable of performing every action that the device owner can, such as recording videos, taking pictures, listening through the microphone or installing additional components, without the owner’s knowledge.
Zimperium engine, z9, detected this attack without requiring an update. Apps that exploit operating system vulnerabilities are detected by our z9 engine, which has been trained against such infection vectors. zIPS, Zimperium’s Mobile Threat Protection solution, notifies the IT Admin on infected instances and provides comprehensive forensics. In addition, zIPS prompts the device owner of the malicious app prior to installations to remove the malware, enabling the device-owner to protect the device directly.
For compromised devices, we recommend the following to remediate:
- Block access to corporate resources (email, CRM, VPN, etc.)
- Flash new OS to the device (factory reset is not enough)
- Change all passwords on infected devices
Trojanized adwares are just a prelude to enhanced sophistication of mobile threats.