There are more than 20,000 new reasons to ensure that an Android app is being downloaded from the Google Play store, instead of a third-party app store.
Malicious players behind bugs with nasty names, such as ShiftyBug and GhostPush, have injected adware into tens of thousands of popular apps, repackaging them and then putting them on third-party apps stores, reported cybersecurity firm Lookout last week.
The firm, over the last year, collected 20,000 samples of apps that were affected with adware from any of three malware families called Shuanet, Kemoge or "ShiftyBug," and Shedun or "GhostPush." The codes from some variants of the malware families were 71 to 82 percent identical, further evidencing the familial ties between the three groups.
Among the repackaged apps were Play Store stars such as Snapchat, Twitter, Facebook and tons more. Antivirus apps were "curiously" untouched by the retrofitting of the apps, leading the security firm to speculate that "a high level of planning" went into this effort.
Two-Timing Android Apps
These malicious apps aren't using new exploits. They use vulnerabilities exploited by legitimate root enablers, apps that unlock an Android phone's file system.
"Unlike older types of adware that were obvious and obnoxious, prompting users to uninstall them, this new type of adware is silent, working in the background," Lookout says. "These malicious apps root the device unbeknownst to the user."
The repackaged apps operate just as their developers intended, yet the injections of malicious code give them a few extra functions which can be devastating.
While reporting a user's post to a timeline or transmitting an image to that person's cloud storage space, the re-purposed apps also share and user data with the shadows and upload the handset's information to command and control servers.
"These malicious apps root the device unbeknownst to the user," Lookout says. "To add insult to injury, victims will likely not be able to uninstall the malware, leaving them with the options of either seeking out professional help to remove it, or simply purchasing a new device."
Because members of these malware families gain root access, they can, and have, installed themselves as system applications. System apps can't be removed by the user without a clean install.
Stay Safe, Be Well
It's enough to send a casual Android user over Apple and its "walled garden of an app store." But it's important to point out that Lookout hasn't found any evidence of these repackaged apps inside of Android's first party app store, the Google Play Store.
The retrofitted apps, all 20,000 or so of them, were found in third-party app stores and other outside sources. Unless the authenticity and security of a source can be verified with 100 percent certainty, it's imperative to avoid installing apps found outside of the Google Play Store.
"We work to make sure that all apps available on Google Play pass stringent policy checks, including checks for potentially harmful behavior," says Google.
Amazon operates a pair of Android app stores and is known to take a similar approach to curation as Apple with its App Store. While Google doesn't allow Amazon's app stores inside the Play Store, there is an absence of evidence suggesting the e-tailer's third-party marketplace is unsafe.
Beyond that, apps issued from enterprises to employees can generally be trusted — business doesn't want its employees' handsets sending any company data off to untrusted entities.
Those looking to install apps from third-party sources must make a conscientious choice to do so. As Android devices with Google Play installed are automatically protected from installing malicious apps, thanks to the app store's Verify Apps feature.
"It's turned on by default and warns you before you install an application we believe is potentially harmful," says Google. "It'll also check your device about once a week for potentially harmful apps. If you see a warning from Verify Apps, we recommend not installing that app."
For those unsure if the Verify Apps feature is turned on, visit the Google Settings or Settings menu and then tap Security. From there, navigate down to the Verify Apps section and then make sure the "Scan device for security threats" is set to On.
It's important that the Verify Apps feature is on, as the latest threat doesn't appear to be a fleeting trend.
"We believe more families of adware trojanizing popular apps will emerge in the near future and look to dig its heels into the reserved file system to avoid being removed," says Lookout.