Mobile security expert Lookout says it discovered the original threat in November 2015 — I have had several releases from other vendors claiming that too — but it seems to have the most comprehensive, FUD-free, information about it. It makes no claims — as have others — of a billion infections!
Its blog says the generic name is Shedun and it is adware that roots Android devices. It appears to come from infected side loaded — e.g. not from Google Play — apps masquerading as legitimate apps such as Facebook, Twitter, WhatsApp and Okta’s enterprise single sign-on app.
Lookout says it has also seen it also in various forms including Candy Crush, Facebook, GoogleNow, NYTimes, Snapchat, and many others – in fact, it says the malware has infected up to 20,000 apps and more are being infected.
These apps have been altered by cybercriminals using legitimate certificates and placed in third-party app stores so popular in Asia where Google Play may not be accessible. The apps are fully functional, and it is hard for a user to know if they are infected as the rooting is silent. The bottom line is you cannot trust any third-party app store.
Three similar families are associated with Shedun (GhostPush): Shuanet, ShiftyBug (Kemoge), and BrainTest. They share 71 to 82% of the codebase. They are all managed and further developed by rival Asian-based cybercriminal families.
While it is commonly said that Android with a paid antivirus/malware app is now as safe as iOS — that is another story as Apple will not allow AV companies into its ecosystem — it is becoming clear that you need to get to Android M or N as soon as possible and you need to buy from a maker that delivers prompt updates. In the past six months, Google has patched 270 known vulnerabilities – 108 in the latest batch in July.
It is not all Android’s fault either – 60% of the patches are related to vendor-specific components from Qualcomm, MediaTek, and NVIDIA that affect everything from software that controls Wi-Fi, graphics, sound to camera, power, and displays.
The huge issue is that these patches are being delayed by the makers and telcos and with many brands, you are lucky ever to see them at all. Google has instruction on how to check the security patch status for Nexus devices here. Pure Android must happen soon or proprietary operating systems like Tizen will be adopted.
Most paid anti-virus/malware products now provide protection but if the user is infected the only cure is a reflash of the ROM as trojan lives in the infected image. Re-Flashing requires higher levels of technical expertise.