Watch Shedun Adware Install Unwanted Apps Without User Interaction

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Zero interaction was needed in a proof-of-concept video released by Lookout, a cyber-security vendor specialized in mobile device security.

The guilty party in the video is called Shedun (also known as GhostPush), a trojanized adware that infects a user's phone and roots the device when the owner is careless enough to install apps from non-official sources (third-party app stores).

While initially Shedun only rooted the device and installed various ad-delivery apps, a new version of the adware was discovered, one that asks the user to turn on the phone's accessibility features during its installation.

The user is presented with a message that says something like: "[APP_NAME] uses accessibility features to help stop inactive apps you aren't using. You'll see a standard privacy reminder. Please feel at ease about turning it on."

If the user is tricked by the friendly message in which he's asked to give the app access to these features, the adware will then be able to read data passed via Android popups and take action on its own, without any user interaction.

This allows the adware to download and install apps without the user ever doing anything. Below is a video of the adware delivering an ad, but installing another app without any kind of user interaction when the user taps the ad's "close" button.

Below is a video of the adware requesting access to the phone's accessibility features during its installation.



Read more: Video: Watch Shedun Adware Install Unwanted Apps Without User Interaction
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
I read it is "almost impossible" to delete this malware; what about pre/post infection detection by AV?
 
  • Like
Reactions: LabZero and Jack
L

LabZero

Yes, It seems that if your smartphone is infected by one of these malware it is unusable.
But the infection takes place by downloading files or applications from unofficial store. It seems trivial, but this solution is still used a lot by those who, instead of buying apps and games, prefer to download pirated apps, loading them on phone neglecting the normal safety logic.
 

Enju

Level 9
Verified
Well-known
Jul 16, 2014
443
Yes, It seems that if your smartphone is infected by one of these malware it is unusable.
But the infection takes place by downloading files or applications from unofficial store. It seems trivial, but this solution is still used a lot by those who, instead of buying apps and games, prefer to download pirated apps, loading them on phone neglecting the normal safety logic.
Google should just make it a tad harder to install apps from 3rd party sources and I bet the infection rates would go down rapidly. They could, for example, only allow sideloading via ADB and a lot of inexperienced users who install pirated apps would instantly give up. This wouldn't even influence the workflow of developers since everyone loads their app via ADB anyways.
 
  • Like
Reactions: frogboy and LabZero

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Since that Adware is mainly from 3rd party source, therefore its a user fault when insist to accept the program without any verification.

These days, many users don't install AV as its not practical from them + Play Store is well enough to provide quality of products as confirm to be safe without bothering to go on many website with unscrupulous content.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
The problem, and that's why my question above, is if/ when they get on google play.
Do AVs detect it before installation?
Can AVs detect it on an infected device?
Which ones?
 
L

LabZero

The problem, and that's why my question above, is if/ when they get on google play.
Do AVs detect it before installation?
Can AVs detect it on an infected device?
Which ones?
"Lookout has detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others."

So i think that Lookout can detect it during the app's scan.

Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire | Lookout Blog
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
:p, yes lookout can detect it in files....can it also on an already infected device?

..hopefully the other AV do the same.:)
 
L

LabZero

:p, yes lookout can detect it in files....can it also on an already infected device?

..hopefully the other AV do the same.:)
Android AV does a scan of each app before it's installed, so if it's detected, how can It install ?
If device is already infected, no way...to recover it.
Now this malware is known, so I think it is also detected by other AVs
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
For such simple concept of AV on mobile, let's take it a sure way they will detect before on execution and in its present action.

Usually AV's will encourage you to uninstall that label program as possible when detected.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top