New type of auto-rooting Android adware is nearly impossible to remove

(credit: UCR Today)

Researchers have uncovered a new type of Android adware that's virtually impossible to uninstall, exposes phones to potentially dangerous root exploits, and masquerades as one of thousands of different apps from providers such as Twitter, Facebook, and even Okta, a two-factor authentication service.

The researchers have found more than 20,000 samples of trojanized apps that repackage the code or other features found in official apps available in Google Play and then are posted to third-party markets. From the end user's perspective, the modified apps look just like the legitimate apps, and in many cases they provide the same functionality and experience. Behind the scenes, however, the apps use powerful exploits that gain root access to the Android operating system. The exploits—found in three app families known as Shedun, Shuanet, and ShiftyBug—allow the trojanized apps to install themselves as system applications, a highly privileged status that's usually reserved only for operating system-level processes.

"For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone," researchers from mobile security firm Lookout wrote in a blog post published Wednesday. "Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy."

Read 5 remaining paragraphs | Comments

Android adware wields potent root exploits to gain permanent foothold

Enlarge / In-the-wild samples of Kemoge impersonating well-known apps. (credit: FireEye)

Researchers have uncovered yet another Android-based adware campaign targeting people who download what they believe are trusted titles from websites and other third-party app stores.

The apps use repackaged icons to disguise themselves as popular titles and are offered for download through pop-up ads on visited websites and in-app promotions, according to a blog post published Wednesday by researchers from security firm FireEye. Once installed, the apps exploit as many as eight separate Android vulnerabilities that allow the apps to gain deep root access privileges. From there, the apps launch code libraries mimicking legitimate Android services, such as com.facebook.qdservice.rp.provider and com.android.provider.setting, to gain a permanent foothold on infected phones.

FireEye researchers wrote:

Read 2 remaining paragraphs | Comments

Attacks accessing Mac keychain without permission date back to 2011

On Tuesday, Ars chronicled an OS X technique that's being actively used by an underhanded piece of adware to access people's Mac keychain without permission. Now there's evidence the underlying weakness has been exploited for four years.

As documented by Twitter user @noarfromspace, the keychain-penetrating technique was carried out in 2011 by a piece of malware known as DevilRobber. The then new threat caught the attention of security researchers because it commandeered a Mac's graphics card and CPU to perform the mathematical calculations necessary to mine Bitcoins, something that was novel at the time. Less obvious was the DevilRobber's use of the AppleScript programming language to locate a window requesting permission to access the Keychain and then simulate a mouse click over the OK button.

Thomas Reed, who is director of Mac offerings at security firm Malwarebytes, said he tested the AppleScript on the current version of Apple's OS X and found it worked, as long as a user had already allowed the app running the script to control the Mac. On Monday, Reed disclosed the same technique was being used by the Genieo adware installer to gain access to a Safari extensions list that's protected inside the Mac Keychain. Coincidentally, researchers located in Beirut independently reported the technique on Tuesday, the same day Ars Chronicled the Malwarebytes' findings involving Genieo.

Read 2 remaining paragraphs | Comments

Sneaky adware caught accessing users’ Mac Keychain without permission

Last month, Ars chronicled a Mac app that brazenly exploited a then unpatched OS X vulnerability so the app could install itself without requiring people to enter system passwords. Now, researchers have found the same highly questionable installer is accessing people's Mac keychain without permission.

The adware taking these liberties is distributed by Israel-based Genieo Innovation, a company that's long been known to push adware and other unwanted apps. According to researchers at Malwarebytes, the Genieo installer automatically accesses a list of Safari extensions that, for reasons that aren't entirely clear, is stashed inside the Mac Keychain alongside passwords for iCloud, Gmail, and other important accounts.

Genieo acquires this access by very briefly displaying a message asking for permission to open the Safari extensions and then automatically clicking the accompanying OK button before a user has time to respond or possibly even notice what's taking place. With that, Genieo installs an extension known as Leperdvil. The following three-second video captures the entire thing:

Read 5 remaining paragraphs | Comments