Hackers can install any malicious third-party app on your smartphone remotely even if you have clearly tapped a reject button of the app.
Security researchers have uncovered a trojanized adware family that has the capability to automatically install any app on an Android device by abusing the operating system's accessibility features.
Michael Bentley, head of response at mobile security firm Lookout, warned in a blog post published Thursday that the team has found three adware families:
- Shedun (GhostPush)
- Kemoge (ShiftyBug)
- Shuanet
Also Read: Android Malware Can Spy On You Even When Your Mobile Is Off
All the three adware families root-infect Android devices in order to prevent their removal and give attackers unrestricted access to the devices.
All the three adware families root-infect Android devices in order to prevent their removal and give attackers unrestricted access to the devices.
But, it seems that the Shedun adware family has capabilities that go beyond the reach of other adware families.
The Malware Doesn't Exploit Any Vulnerability
It is worth noting that the malware does not exploit any flaw in the service to hijack an Android device and instead relies on the service's legitimate functionality.
During the installation, apps from the Shedun adware family tricks users into granting them access to the Android Accessibility Service, which is meant to provide users alternative ways to interact with their smartphone devices.
By gaining access to the accessibility service, Shedun can:
- Read the text that appears on the phone screen
- Determine an app installation prompt
- Scroll through the permission list
- Finally, Press the install button without any physical interaction from the user
Video Demonstration:
You can watch the following video that shows the forced installation of an app in action.
The trojanized app actually masquerades itself as an official app available in Google Play Store and then is pushed to third-party markets.
The worrisome part is that Shedun apps can't be easily uninstalled, as the apps root the victim's device and then embed themselves in the system partition in an effort to persist even after factory reset.
Also Read: Android Bootkit Malware Infected Millions of Devices
Lookout categorized them as "Trojanized Adware" because the goal of this malware is to install third-party apps and serve aggressive advertising.
Lookout categorized them as "Trojanized Adware" because the goal of this malware is to install third-party apps and serve aggressive advertising.
Legitimate applications also use the Android Accessibility Service for features like to grant expanded capability to phone tinkerers. So, users are, as always, advised to carefully make use of the third-party app markets.