Inside the auto-rooting Android adware
People ‘root’ their smartphones for many reasons, most commonly in order to have as much control over the device as possible. Now malware is getting in on the act, with Trojanised, auto-rooting adware attacks on Android phones, which installs itself as a system app that can survive a factory reset. IT Security Thing investigates.
Predictive security specialist Lookout, which uses ‘machine intelligence’ to predict zero day attacks, has spotted a large number of auto-rooting adware infected apps in the wild. So far it has detected more than 20,000 samples in apparently legitimate, and hugely popular, applications such as Candy Crush, Facebook, Google Now, Okta 2FA, Snapchat, Twitter and WhatsApp.
Before you start worrying too much, the apps themselves may appear totally legitimate but they have been repackaged by the threat actors and the malicious code squirted into them. They all appear perfectly normal from the user perspective, functionality is not impacted at all and the malware remains well hidden.
This, in and of itself, is unusual. Most commonly this type of app-cloning malware only actually goes as far as cloning the name and the executable icon; when it is clicked upon it then installs the malicious payload but without the original app doing anything. If that sounds like even more reason to panic, you can still relax unless you are in the habit of downloading your apps from outside of the official Google Play app store.
The samples uncovered have three things in common, it would seem. The first thing they share is, as hinted at already, they were all available for download outside of the official Google Play app store. The highest detections so far, according to Lookout, have been in the US, Germany, Iran, Russia and India.
Second on the similarity list is that they also share underlying code, up to a similarity factor of 82 per cent, this despite being three separate families of apparently independently developed malware. This would suggest that the authors of Shuanet, Shedun and ShiftyBug (the latter also known as Kemoge) most likely used the same building blocks to assemble the code.
Thirdly, they all share exploits as well. Given the codebase sharing, this shouldn’t come as too much of a surprise. The rooting functions, for example, are the same publicly available ones according to Lookout researchers. The eagle-eyed may have spotted the plural there, and it was deliberate: ShiftyBug employs no less than eight rooting exploits. This, one assumes, to ensure it can root as many devices it finds itself upon as possible.
According to FireEye researchers who were first to spot Kemoge operating last month, the root methods include “mempodroid, motochopper, perf_swevent exploit, sock_diag exploit, and put_user exploit.”
Some of the exploits are also derived from a commercial tool called Root Dashi. “After gaining root” the FireEye researchers continue “it executes root.sh to obtain persistency. Afterwards, it implants the AndroidRTService.apk into /system partition as Launcher0928.apk – the filename imitates the legit launcher system service. Moreover, the package name of this apk also looks like authentic services, e.g., com.facebook.qdservice.rp.provider and com.android.provider.setting.”
Although currently it would appear that the payload is restricted to an advertising display one, which is bad enough when the user has no control over being able to disable the serving of said advs, it could easily get worse. The way that this threat model works is that once the Trojanised application is downloaded and installed, it roots the host device and installs the adware as a system app.
System apps, as we all know too well, cannot be deleted in the same way as other apps and are responsible for much of the bloatware on our smartphones. System apps also survive factory resets, which means that even if the adware were discovered then getting rid of it is by no means an easy task; indeed for all but the most tech savvy and adventurous users it would be pretty much off the radar.
What is of more concern though, is that the device has been rooted without the knowledge of the owner. This leaves the path open, with only minimal code modifications, for future updates to these malware families to be able to exploit the privilege escalation they have for credential capture and data exfiltration on a huge scale.
Our mitigation advice when it comes to all three of these malicious adware families is the same, and it’s pretty simple: don’t download apps from outside of the official Google Play infrastructure. Whilst official app stores are not completely immune to malware attack, your chances of downloading a malicious app are minimal to say the least.
Exploits such as XCodeGhost on iOS are something of a rare crossover, where a third party download of an app development tool led to a knock-on infection of official app store downloads, but still serve to highlight the dangers of blind third party store trust. Oh, and further good advice is to always keep your devices upgraded to the latest version of the OS in order to at least reduce the opportunity for some of these rooting exploits to work.