SPECIAL STATE PROTECTION SERVICE
SPECIAL COMMUNICATION AND INFORMATION
SECURITY STATE AGENCY

COMPUTER EMERGENCY
RESPONSE CENTER

Report Incident

Articles > Android Trojanized Adware 'Shedun' Infections Surge

27 July 2016

 Security firms are warning that they've seen a spike in infections tied to a virulent strain of trojanized Android adware. Known as Shedun, the malware can root smartphones, survive factory resets and install additional applications, and is a reminder of the need to install and run anti-malware software on any Android device.

"Shedun is trojanized adware that roots Android devices, masquerading as legitimate apps such as Facebook, Twitter, WhatsApp and Okta's enterprise single sign-on app," says Kristy Edwards, director of security product management at mobile security firm Lookout, in a blog post.

Shedun, which first appeared in August 2015, is also known as GhostPush, HummingBad, Hummer, AndroidOS_libskin, as well as by the name of the malicious Android .APK executable file itself, which is right_core.

Researchers at security vendor Check Point Software Technologies say that they've traced HummingBad - its preferred name for the malware - to a gang of Chinese cybercriminals associated with mobile ad server company Yingmob, based in Chongqing, which is a major city in southwestern China. In a recent report, the researchers say that after a five-month investigation, they found that the gang "runs alongside [the] legitimate Chinese advertising analytics company, sharing its resources and technology," and includes "25 employees that staff four separate groups responsible for developing HummingBad's malicious components."

Android Adware: Lucrative
Business appears to be booming for Yingmob and other cybercrime-associated groups that develop similar types of malware. In the past month, Lookout says it's seen a six-time increase in the number of Shedun infections affecting devices. "We believe this is attributable to the authors building new functionality or distributing the malware in new ways," Edwards says.

Check Point says that Shedun earns Yingmob $300,000 per month, and that the gang currently has control of 10 million infected Android devices around the world. Researchers estimate that of the 200 applications that HummingBad ties into and manages, using a tracking and analytics service called Umeng, 25 percent are malicious.

"Shedun detections spiked over 300% in March, and further spiked over 600% in the past month." Source: @Lookout pic.twitter.com/DWAX8A24Fz

— Mathew J Schwartz (@euroinfosec) July 8, 2016
Meet Shuanet, ShiftyBug, BrainTest
Shedun isn't the only player in town. Lookout says the adware is very similar to three other malware families - Shuanet, ShiftyBug and BrainTest - each of which is tough to kill. "Shedun and the related families follow a particular pattern - they are adware that silently roots devices, allowing them to remain persistent even if the user performs a factory reset," Lookout's Edwards says. "Shedun also uses its root privileges to install additional apps onto the device, further increasing ad revenue for the authors and defeating uninstall attempts."

Security experts say that the impetus for installing trojanized adware onto Android smartphones is simple: money. In many cases, this income gets generated by pushing attacker-controlled advertising to trojanized apps, but that's not the only potential revenue stream for attackers. For example, the developers behind BrainTest, who also seem to be operating from China, appear to be selling guaranteed application installations to other developers, thus also generating income for those developers, Chris Dehghanpoor, a senior security analyst at Lookout, says in a blog post.

Industrialized Adware
In November 2015, Michael Bentley, head of research and response at Lookout, warned in a blog post that the these trojanized adware families were being distributed on an industrial scale, with the greatest number of related infections being seen in the United States, followed by Germany, Iran, Russia and India.

The malware is often included in a "free" version of a popular, paid application that gets repackaged by attackers. Unlike many previous types of Android malware, which involved little more than giving malware the name and icon associated with a real app, these malware families often do provide the real application, but at a cost.

"Malicious actors behind these families repackage and inject malicious code into thousands of popular applications found in Google Play, and then later publish them to third-party app stores," Bentley said. "Indeed, we believe many of these apps are actually fully functional, providing their usual services, in addition to the malicious code that roots the device."

Enterprise Implications
Trojanized adware is a nuisance for consumers, of course, who may be driven to discard their device and start over. But it's an especial worry for businesses, since adware subverts device permissions and theoretically gives attackers access to anything on the mobile device.

"For enterprises, having rooted devices on the network is a concern, especially if those devices were rooted by a repackaged version of a legitimate and popular enterprise app," Lookout's Bentley says. "In this rooted state, an everyday victim won't have the proper interface to control what apps on the phone request root access. The problem here is that these apps may gain access to data they shouldn't have access to, given their escalated privileges."

Top 20 countries targeted by trojanized adware Shedun.
Source: @CheckPointSW pic.twitter.com/TjnFWCpSBm

— Mathew J Schwartz (@euroinfosec) July 8, 2016
Life After Trojanized Adware
The problem with malware that can flash a device and survive factory resets is that unless it gets blocked outright by an anti-virus app running on the device - before the malware gets a chance to install itself - it's tough to eliminate.

But nuking trojanized adware such as Shedun isn't impossible. Lookout's Dehghanpoor recommends that users "backup anything on their device they would like to save, and then re-flash a ROM supplied by the device's manufacturer."