Shedun

Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet^[1][2]) targeting the Android (operating system) first identified in late 2015 by mobile security company Lookout (company), affecting roughly 20,000^[3] popular Android applications.^[2][4][5][6]

Avira Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day.^[7] All three variants of the virus are known to share roughly ~80% of the same source code.^[8][9]

The malware's primary attack vector is repackaging legitimate Android applications (e.g. Facebook, Twitter, WhatsApp, Candy Crush, Google Now, Snapchat^[10])^[3][11][12] with adware included, the app which remains functional is then released to a third party app store^[13]; once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation^[12]), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to root affected devices and re-flash a custom ROM.^[4][14][15]

In addition, Shedun-type malware has been detected pre-installed on 26 different types^[16] of Chinese Android-based hardware such as Smartphones and Tablet computers. ^{[17][18][19][20] [21][22][23][24][25][26][27][28][29][30][31]}

Shedun-family malware is known for auto-rooting the Android OS ^[32][11] using well-known exploits like ExynosAbuse, Memexploit und Framaroot ^[33] (causing a potential privilege escalation^[34][12][35])^[36] and for serving trojanized adware and install themselves within the system partition of the operating system, so that not even a factory reset can remove the malware from infected devices.^[37][38]

Shedun malware is known for targeting the Android Accessibility Service,^{[39][40][1][37][41][42][43]} as well as for downloading and installing arbitrary applications^[44] (usually adware) without permission,^[2] it is classified as "aggressive adware" for installing potentially unwanted program ^{[45][46] [47]}applications and serving ads.^[48]

As of April 2016, Shedun malware is, by most security researchers, considered to be next to impossible to remove entirely.^{[49][50][51][52][53][54]}

Avira Security researcher Pavel Ponomariov, specialized in Android malware detection tools, mobile threats detection and mobile malware detection automation research^[55], has published an in-depth analysis of the computer virus.^[7]

See also

• Brain Test

References

1. "Android Adware Abuses Accessibility Service to Install Apps - SecurityWeek.Com".
2. Manish Singh. "New Android Adware Can Download, Install Apps Without Permission: Report". NDTV Gadgets360.com.
3. "Three new malware strains infect 20k apps, impossible to wipe, only affect Android". AppleInsider Forums.
4. "Hackers reveal Android trojan malware that is IMPOSSIBLE to remove". Mail Online. 5 November 2015.
5. "Android Malware On The Loose: Shuanet, ShiftyBug And Shedun Signatures Found On 20,000 Apps Outside Google Play Store". Droid Report.
6. "Shedun Trojan goes solo". Darkmatters.
7. "Shedun: adware/malware family threatening your Android device". Avira Blog.
8. "Neue Welle von Android-Malware lässt sich kaum mehr entfernen".
9. PMK Presse, Messe & Kongresse Verlags GmbH. "Gemeinsamkeiten: Shuanet, Shedun & ShiftyBug".
10. "Android-Malware: Adware war gestern. Android-Trojaner auf dem Vormarsch". botfrei Blog.
11. "New type of auto-rooting Android adware is nearly impossible to remove". Ars Technica.
12. Michael Mimoso. "Shuanet Adware Roots Android Devices - Threatpost - The first stop for security news". Threatpost - The first stop for security news.
13. "Adware Shedun nistet sich gegen den Willen der Nutzer in Android ein". ITespresso.de.
14. "Android Trojan Software Morphs Into Real Apps, Nearly Impossible To Remove From Device's System: Report". Yibada.
15. "Android-Malware: Neue Schadsoftware rootet Geräte und ist kaum zu entfernen - Golem.de".
16. Swati Khandelwal (3 September 2015). "26 Android Phone Models Shipped with Pre-Installed Spyware". The Hacker News.
17. https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_US.pdf
18. Catalin Cimpanu (4 September 2015). "24 Chinese Android Smartphone Models Come with Pre-Installed Malware". softpedia.
19. David Gilbert. "Amazon Selling $40 Android Tablets That Come With Pre-Installed Malware". International Business Times.
20. "Chinese smartphones infected with pre-installed malwareSecurity Affairs". Security Affairs.
21. "Chinese Android smartphones now shipping with pre-installed malware". SC Magazine.
22. Diane Samson. "Malware Found Pre-Installed on Xiaomi, Huawei, Lenovo Phones". iDigitalTimes.com.
23. "Amazon's $40 Chinese Android Tablets Infected With Pre-Installed Malware". Design & Trend.
24. Jeremy Kirk (5 March 2014). "Pre-installed malware found on new Android phones". Computerworld.
25. https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_EN.pdf
26. Waqas. "Amazon Store, a safe haven for Android Tablets with pre-installed malware". HackRead.
27. "Pre-Installed Android Malware Raises Security Risks in Supply Chain".
28. "Some Android Phones Come With Malware Pre-Installed: Report". The Huffington Post.
29. "Brand New Android Smartphones Coming with Spyware and Malware". WCCFtech.
30. "Chinese Android smartphone comes with malware pre-installed". Graham Cluley.
31. Martin Brinkmann (8 September 2015). "Beware, your Android phone might come with preloaded spyware". gHacks Technology News.
32. "Trojan adware on Android can give itself root access". The Tech Report.
33. "Shedun, Shuanet und Shiftybug: Android-Smartphone vor Malware schützen".
34. "Android-Nutzer: Achtung vor Trojaner-Adware Shedun - Check & Secure -". - Check & Secure -.
35. "New Android adware tries to root your phone so you can't remove it". ExtremeTech.
36. "More than 20,000 apps auto-root Android devices". SC Magazine UK.
37. "Android's accessibility service grants god-mode p0wn power".
38. "Trojanized adware family abuses accessibility service to install whatever apps it wants | Lookout Blog". Blog.lookout.com. 2015-11-19. Retrieved 2016-04-10.
39. "Shedun trojan adware is hitting the Android Accessibility Service".
40. "Shedun adware can install any malicious mobile appSecurity Affairs". Security Affairs.
41. Shedun gaining accessibility service privileges. 18 November 2015 – via YouTube.
42. Dennis Schirrmacher (20 November 2015). "Android-Malware: Werbeterror wie von Geisterhand". Security.
43. "Der Adware – Trojaner Shedun". trojaner-info.de. 6 December 2015.
44. Swati Khandelwal (20 November 2015). "This Malware Can Secretly Auto-Install any Android App to Your Phone". The Hacker News.
45. "Trojaner-Adware installiert selbstständig ungewollte Android-Apps".
46. "Shedun: Neue Android-Adware installiert Apps ohne deine Einwilligung". Androidmag.
47. John Woll. "Installation auch nach Ablehnung: Neue dreiste Android-Adware".
48. "Android Shedun Malware: New Malware That Can Grant Access to Your Phone; Malware Impossible To Be Removed?". Yibada.
49. http://www.noz.de/deutschland-welt/gut-zu-wissen/artikel/635820/gefahrliche-android-schadsoftware-oft-hilft-nur-neues-gerat-1
50. "Shedun trojan adware is hitting the Android Accessibility Service". The Inquirer. 2015-11-20. Retrieved 2016-04-10.
51. "Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire | Lookout Blog". Blog.lookout.com. 2015-11-04. Retrieved 2016-04-10.
52. "Shuanet, ShiftyBug and Shedun malware could auto-root your Android". Betanews.com. Retrieved 2016-04-10.
53. "New Family Of Android Malware Virtually Impossible To Remove: Say Hello To Shedun, Shuanet And ShiftyBug : PERSONAL TECH". Tech Times. Retrieved 2016-04-10.
54. Goodin, Dan (2015-11-19). "Android adware can install itself even when users explicitly reject it". Ars Technica. Retrieved 2016-04-10.
55. "Pavel Ponomariov - Avira Blog". Avira Blog.