The need to download apps from Google’s official Google Play store is more important than ever, with third-party Android stores simply not to be trusted.
This worrying news comes thanks to security firm Lookout, which in a blog post has noted malware so severe that it automatically roots an Android system, ‘embeds itself as a system application, and becomes nearly impossible to remove.’
The company also notes that what was once mere adware is now ‘becoming trojanised and sophisticated’, which is an alarming new trend.
There are over 20,000 samples of this new trojanised adware, which are top apps repackaged by malicious actors, downloaded from Google Play but published to third-party app stores.
The apps include Candy Crush, Facebook, Google Now, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others.
Third party app stores for Android are especially popular in China, where the official Google Play App Store is not available thanks to China’s restrictions on Google services in the Middle Kingdom.
Lookout believes that ‘many of these apps are actually fully-functional, providing their usual services, in addition to the malicious code that roots the device.’
Although there have been past reports of dodgy apps within Google Play, which Google has had to remove despite Google's 'Bouncer' to protect against malware, (here's one recent example, and here's another) this attack differs to the one that saw, at least in the Chinese iOS App Store, iOS apps that had malware of their own due to infected versions of Apple’s Xcode, resulting in the XCodeGhost situation that iTWire reported on here.
Infected iOS apps could be easily uninstalled and replaced with cleansed apps, but in the case of the infected Lookout-indetified apps, the security firm says ‘this new type of [Android] adware is silent, working in the background. These malicious apps root the device unbeknownst to the user. To add insult to injury, victims will likely not be able to uninstall the malware, leaving them with the options of either seeking out professional help to remove it, or simply purchasing a new device.’
Lookout says that ‘the act of rooting the device in the first place creates additional security risk for enterprises and individuals alike, as other apps can then get root access to the device, giving them unrestricted access to files outside of their domain.’
‘Usually applications are not allowed to access the files created by other applications, however with root access, those limitation are easily bypassed.’
Some ArsTechnica readers do note that people who know what they are doing could certainly fix infected devices but these would clearly be users with more than enough technical knowledge, something that clearly leaves the everyday user up the proverbial creek without a trojan-free smartphone to use as a waterproof paddle.
But that’s not all. Lookout says the story is bigger, with three interconnected families of Android adware on the scene - the Shuanet family, Kemoge (also known as Shiftybug) and Shedun, also known as Ghostpush.
All three families of mal/adware/trojans auto-root your Android device and hide in the system directory, and can also install ‘secondary payload apps’.
Together, the three are responsible for over 20,000 repackaged apps, including Okta’s two-factor authentication app. Lookout says it is in contact with Okta regarding this malicious repackaging of its app.
Lookout says that anti-virus apps have been specifically excluded from trojanisation.
The highest detections for these three families together are in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.
These trojans use the Memexploit, Framaroot and ExynosAbuse exploits, but they aren’t new - many are used ‘in popular root enablers.’
Again, Lookout warns that anyone infected with these trojans ‘might mean a trip to the store to buy a new phone,’ which is ‘because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy.’
While this isn’t exactly an #Androiddisaster, as the more hyperbolic pundits might resort to click baiting article headlines with, it is yet another glaring sign that as smartphones and tablets become our everyday computing devices over and above laptops and desktop, security is more paramount than ever.
Article concludes after this ad, please read on!
Installing Android apps from third party app stores is a dangerous game of Russian roulette.
Running Android devices without security software, but even that is no guarantee, with Lookout expecting ‘this class of trojanised adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional aware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities.’
Given that Lookout believes that ‘more families of adware trojanising popular apps will emerge in the near future and look to dig its heels into the reserved file system to avoid being removed,’ we are left with the question of what truly is the best course of action.
Lookout doesn’t give advice on what to do, but I will.
As noted before, only download apps from Google Play, and run security software on your Android smartphone and tablet.
You should also reconsider the need to download many apps at all onto your Android device.
If you need an Android device for business, or to do banking, or for serious stuff, then keep all third party apps to an absolute minimum.
Want to have fun, do Facebook, play Candy Crush, send Snapchats or Tweets?
Then it would seem safest to do it all on a separate Android device. Android devices are so cheap to buy nowadays, why trust your primary device to potentially dodgy and honestly not that important third party apps?
Yes, that's inconvenient, but getting infected by nearly impossible to remove malware and suffering major data loss or whatever the payload might be is likely much, much worse.
Sure, if that separate Android device gets infected with something and malware has activated your second device’s camera or microphone, you won’t be terribly safe, but at least your main phone, the one you do your banking with, the one you send business emails on, the one that is your ‘serious’ phone - won’t be infected.
Or at least, hopefully not. Perhaps the only way to be truly safe is to not use technology at all, but then what fun would that be, and how would you check your Facebook feed?