Jack

Administrator
Staff member
Verified
Zero interaction was needed in a proof-of-concept video released by Lookout, a cyber-security vendor specialized in mobile device security.

The guilty party in the video is called Shedun (also known as GhostPush), a trojanized adware that infects a user's phone and roots the device when the owner is careless enough to install apps from non-official sources (third-party app stores).

While initially Shedun only rooted the device and installed various ad-delivery apps, a new version of the adware was discovered, one that asks the user to turn on the phone's accessibility features during its installation.

The user is presented with a message that says something like: "[APP_NAME] uses accessibility features to help stop inactive apps you aren't using. You'll see a standard privacy reminder. Please feel at ease about turning it on."

If the user is tricked by the friendly message in which he's asked to give the app access to these features, the adware will then be able to read data passed via Android popups and take action on its own, without any user interaction.

This allows the adware to download and install apps without the user ever doing anything. Below is a video of the adware delivering an ad, but installing another app without any kind of user interaction when the user taps the ad's "close" button.
Below is a video of the adware requesting access to the phone's accessibility features during its installation.


Read more: Video: Watch Shedun Adware Install Unwanted Apps Without User Interaction
 
L

LabZero

Yes, It seems that if your smartphone is infected by one of these malware it is unusable.
But the infection takes place by downloading files or applications from unofficial store. It seems trivial, but this solution is still used a lot by those who, instead of buying apps and games, prefer to download pirated apps, loading them on phone neglecting the normal safety logic.
 

Enju

New Member
Yes, It seems that if your smartphone is infected by one of these malware it is unusable.
But the infection takes place by downloading files or applications from unofficial store. It seems trivial, but this solution is still used a lot by those who, instead of buying apps and games, prefer to download pirated apps, loading them on phone neglecting the normal safety logic.
Google should just make it a tad harder to install apps from 3rd party sources and I bet the infection rates would go down rapidly. They could, for example, only allow sideloading via ADB and a lot of inexperienced users who install pirated apps would instantly give up. This wouldn't even influence the workflow of developers since everyone loads their app via ADB anyways.
 
  • Like
Reactions: frogboy and LabZero

jamescv7

Level 61
Trusted
Verified
Since that Adware is mainly from 3rd party source, therefore its a user fault when insist to accept the program without any verification.

These days, many users don't install AV as its not practical from them + Play Store is well enough to provide quality of products as confirm to be safe without bothering to go on many website with unscrupulous content.
 

Solarquest

Moderator
Staff member
Malware Hunter
Verified
The problem, and that's why my question above, is if/ when they get on google play.
Do AVs detect it before installation?
Can AVs detect it on an infected device?
Which ones?
 
L

LabZero

The problem, and that's why my question above, is if/ when they get on google play.
Do AVs detect it before installation?
Can AVs detect it on an infected device?
Which ones?
"Lookout has detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others."

So i think that Lookout can detect it during the app's scan.

Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire | Lookout Blog
 

Solarquest

Moderator
Staff member
Malware Hunter
Verified
:p, yes lookout can detect it in files....can it also on an already infected device?

..hopefully the other AV do the same.:)
 
L

LabZero

:p, yes lookout can detect it in files....can it also on an already infected device?

..hopefully the other AV do the same.:)
Android AV does a scan of each app before it's installed, so if it's detected, how can It install ?
If device is already infected, no way...to recover it.
Now this malware is known, so I think it is also detected by other AVs
 

jamescv7

Level 61
Trusted
Verified
For such simple concept of AV on mobile, let's take it a sure way they will detect before on execution and in its present action.

Usually AV's will encourage you to uninstall that label program as possible when detected.