What Is New Trojanized Adware, How To Fix It? [Lookout]

Android users beware of a new Auto-rooting adware, which is now a days worrying development in the Android ecosystem. Trojanized is that malicious adware that is virtually impossible to uninstall. Don’t think about a fix so near future. Malware that roots the device automatically after the user installs it, embeds itself as a system application, and as said nearly impossible to remove. The Google’s mobile operating system is an open-source, which can easily be affected by such malwares and adwares, and in particular. Adware, is traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated and followed a new trend for adware and an alarming one at that.

Security researchers from Lookout have detected over 20,000 samples of this type of Trajanized adware masquerading as legitimate top applications, which such includes games like Candy Crush, Social apps like Facebook, Google Now, NyTimes, Okta, Snapchat, Twitter, WhatsApp, and a lot more than 20K Android apps.


Reminder, there is a lot more difference between when having and open-source Android and iOS from Apple, which is a bit different from Google’s OS. I bet iOS is far beyond better than Android in many cases, because it runs on Apple’s own devices, and can be less effected by other adwares than the Android OEMs. It’s true, and I am not going to tell you buy an iPhone rather than Android, but the fact is a fact.

Malicious actors behind these families repackage and inject malicious code into thousands of popular apps found in Google Play. Ads that has been pushed inside the applications, and later publish them to third-party app stores. Yes, many of these apps are actually fully-functional, providing their usual services, and in addition to malicious code that roots the device automatically.

Prompting users to uninstall them, this new type of trajan-family adware is silent, workout in the background. Root malicious apps to the device quietly. To add insult to injury, victims will likely not be able to get rid of the malware. Making uninstall impossible, leaving them with the options to either seeking out professional help to remove it, or simply purchasing a new device.

However, the act of rooting the device in the first place creates additional security risks for enterprise and individuals alike, as other apps can then get root access to the device, giving them unrestricted access to files outside of their domain. Usually applications are not allowed to access the files created by other apps, but with root access, those limitations are easily bypassed.

Lookout has studied three interconnected families of adware, and indeed discovered the family Shuanet, which, like all of these families, auto-roots the device and hides in the system directory. While others like Kemoge, or the so-called ShiftyBug, recently made headlines for rooting the victikm’s device and installing secondary playload apps. Another one, Shedun, also referred to as GhostPush, would be best example of trojanized adware and all those oft-mentioned classify as simple “adware” and are trojans. Are responsible for over 20,000 repackaged apps, including Okta’s two-factor authentication app.

Antivirus apps appear to have been specifically excluded, suggesting a high-level of planning when creating these malware campaigns. Reason why we found thousands of popular repackaged apps available in third-party app stores. Although, most malware that usually pretends to be a popular app or game imitates the legitimate version in name and icon only. Many of Shuanet’s repackaged apps are fully-functional, making it easier to trick an unsuspecting victim and avoid detection.


The three families also share exploits. In order to root the device, each trojanized adware app uses publicly available exploits that perform the rooting function. The following exploits are used by ShiftyBug and Shuanet of the mentioned families:

  • Memexploit
  • Framaroot
  • ExynosAbuse

And are not new exploits, in fact, many of them are used in popular root enablers. Getting infected with the aforementioned three might mean a trip to the Google Store to buy a new phone. These pieces of adware root the device and install themselves as system applications, which by fact becoming impossible to remove, usually forcing victims to replace their device in order to regain normalcy.

In “United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia, the discovered app infections are targeted, and Trojanized adware on Android phone are advised to stick to the Google’s Play Store for downloading or installing apps and for now avoid third-party app channels.

Beware: more families of adware trajanizing popular apps will emerge in the upcoming future and look to dig its heels into the reversed file system to avoid being removed.

Thanks to Lookout.