Shedun

Android based malware

Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet^[1]^[2]^[3]) targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000^[4] popular Android applications.^[3]^[5]^[6]^[7]^[8] Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.^[9]^[10]

Avira Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day.^[11] All three variants of the virus are known to share roughly ~80% of the same source code.^[12]^[13]

In mid 2016, arstechnica reported that approximately 10.000.000 devices would be infected by this malware ^[14] and that new infections would still be surging.^[15]^[16]

The malware's primary attack vector is repackaging legitimate Android applications (e.g. Facebook, Twitter, WhatsApp, Candy Crush, Google Now, Snapchat^[17])^[4]^[18]^[19] with adware included. The app which remains functional is then released to a third party app store;^[20] once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation^[19]), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to root affected devices and re-flash a custom ROM.^[21]^[22]

In addition, Shedun-type malware has been detected pre-installed on 26 different types^[23] of Chinese Android-based hardware such as Smartphones and Tablet computers.^[24]^[25]^[26]^[27]^[28]^[29]^[30]^[31]^[32]^[33]^[34]^[35]^[36]

Shedun-family malware is known for auto-rooting the Android OS^[18]^[37] using well-known exploits like ExynosAbuse, Memexploit and Framaroot ^[38] (causing a potential privilege escalation^[19]^[39]^[40])^[41] and for serving trojanized adware and installing themselves within the system partition of the operating system, so that not even a factory reset can remove the malware from infected devices.^[42]^[43]

Shedun malware is known for targeting the Android Accessibility Service,^[2]^[42]^[44]^[45]^[46]^[47]^[48] as well as for downloading and installing arbitrary applications^[49] (usually adware) without permission.^[3] It is classified as "aggressive adware" for installing potentially unwanted program^[50]^[51]^[52] applications and serving ads.^[53]

As of April 2016, Shedun malware is considered by most security researchers to be next to impossible to entirely remove.^[54]^[55]^[56]^[57]^[58]^[59]

Avira Security researcher Pavel Ponomariov, who specializes in Android malware detection tools, mobile threat detection, and mobile malware detection automation research,^[60] has published an in-depth analysis of this malware.^[11]

The countries most infected by this virus were in Asia including China, India, Philippines, Indonesia and Turkey.^[61]

Share this article:

This article uses material from the Wikipedia article Shedun, and is written by contributors. Text is available under a CC BY-SA 4.0 International License; additional terms may apply. Images, videos and audio are available under their respective licenses.

[1] [1]
by @HackTheW0r1d (5 November 2015). "Shuanet, ShiftyBug and Shedun malware could auto-root your Android – HackBails". Hackbails.wordpress.com. Retrieved 2 October 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)

[securityweek.com-2] [2]
"Android Adware Abuses Accessibility Service to Install Apps". SecurityWeek.com. Retrieved 20 April 2016.

[manishsingh-3] [3]
Manish Singh. "New Android Adware Can Download, Install Apps Without Permission: Report". NDTV Gadgets360.com.

[appleinsider.com-4] [4]
"Three new malware strains infect 20k apps, impossible to wipe, only affect Android". AppleInsider Forums.

[5] [5]
Eran, Daniel (5 November 2015). "Three new malware strains infect 20k apps, impossible to wipe, only affect Android". Appleinsider.com. Retrieved 2 October 2016.

[6] [6]
"Android Malware On The Loose: Shuanet, ShiftyBug And Shedun Signatures Found On 20,000 Apps Outside Google Play Store". Droid Report.

[7] [7]
"Shedun Trojan goes solo". Darkmatters. Archived from the original on 8 April 2016. Retrieved 18 April 2016.

[8] [8]
"Popular Mobile Apps Repackaged with Trojans". Lavasoft. 4 November 2015. Retrieved 2 October 2016.

[9] [9]
"Another month, another new rooting malware family for Android". blog.elevenpaths.com. Archived from the original on 10 October 2016. Retrieved 9 October 2016.

[10] [10]
"DIY Attribution, Classification, and In-depth Analysis of Mobile Malware". Check Point Blog. 11 July 2016. Retrieved 9 October 2016.

[avira.com-11] [11]
"Shedun: adware/malware family threatening your Android device". Avira Blog. 3 September 2015.

[12] [12]
"Neue Welle von Android-Malware lässt sich kaum mehr entfernen". Elektronikpraxis.vogel.de. Retrieved 20 April 2016.

[13] [13]
PMK Presse, Messe & Kongresse Verlags GmbH. "Gemeinsamkeiten: Shuanet, Shedun & ShiftyBug". Itseccity.de. Retrieved 20 April 2016.

[arstechnica1-14] [14]
Dan Goodin - Jul 7, 2016 5:50 pm UTC (7 July 2016). "10 million Android phones infected by all-powerful auto-rooting apps". Ars Technica. Retrieved 2 October 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)

[15] [15]
"Android Trojanized Adware 'Shedun' Infections Surge". Bankinfosecurity.com. 8 July 2016. Retrieved 2 October 2016.

[16] [16]
"Android Trojanized Adware 'Shedun' Infections Surge". www.linkedin.com.

[17] [17]
"Android-Malware: Adware war gestern. Android-Trojaner auf dem Vormarsch". botfrei Blog. 9 November 2015.

[auto-18] [18]
"New type of auto-rooting Android adware is nearly impossible to remove". Ars Technica. 4 November 2015.

[michaelmimoso-19] [19]
Michael Mimoso. "Shuanet Adware Roots Android Devices - Threatpost - The first stop for security news". Threatpost - The first stop for security news.

[20] [20]
"Adware Shedun nistet sich gegen den Willen der Nutzer in Android ein". ITespresso.de. 23 November 2015.

[21] [21]
"Android Trojan Software Morphs Into Real Apps, Nearly Impossible To Remove From Device's System: Report". Yibada.

[22] [22]
"Android-Malware: Neue Schadsoftware rootet Geräte und ist kaum zu entfernen - Golem.de".

[23] [23]
Swati Khandelwal (3 September 2015). "26 Android Phone Models Shipped with Pre-Installed Spyware". The Hacker News.

[24] [24]
"G Data : Mobile Malware Report" (PDF). Public.gdatasoftware.com. Archived from the original (PDF) on 15 February 2017. Retrieved 20 April 2016.

[25] [25]
Catalin Cimpanu (4 September 2015). "24 Chinese Android Smartphone Models Come with Pre-Installed Malware". softpedia.

[26] [26]
David Gilbert (12 November 2015). "Amazon Selling $40 Android Tablets That Come With Pre-Installed Malware". International Business Times.

[27] [27]
"Chinese smartphones infected with pre-installed malwareSecurity Affairs". Security Affairs. 2 September 2015.

[28] [28]
"Chinese Android smartphones now shipping with pre-installed malware". SC Magazine. Archived from the original on 7 May 2016. Retrieved 18 April 2016.

[29] [29]
Diane Samson. "Malware Found Pre-Installed on Xiaomi, Huawei, Lenovo Phones". iDigitalTimes.com. Archived from the original on 23 August 2016. Retrieved 18 April 2016.

[30] [30]
"Amazon's $40 Chinese Android Tablets Infected With Pre-Installed Malware". Design & Trend. Archived from the original on 15 February 2017. Retrieved 18 April 2016.

[31] [31]
Jeremy Kirk (5 March 2014). "Pre-installed malware found on new Android phones". Computerworld.

[32] [32]
"G Data : Mobile Malware Report" (PDF). Public.gdatasoftware.com. Archived from the original (PDF) on 10 March 2016. Retrieved 20 April 2016.

[33] [33]
Waqas (14 November 2015). "Amazon Store, a safe haven for Android Tablets with pre-installed malware". HackRead.

[34] [34]
"Pre-Installed Android Malware Raises Security Risks in Supply Chain". October 2021.

[35] [35]
"Some Android Phones Come With Malware Pre-Installed: Report". The Huffington Post. Archived from the original on 30 May 2016. Retrieved 18 April 2016.

[36] [36]
"Brand New Android Smartphones Coming with Spyware and Malware". WCCFtech. 4 September 2015.

[37] [37]
"Trojan adware on Android can give itself root access". The Tech Report. 5 November 2015.

[38] [38]
"Shedun, Shuanet und Shiftybug: Android-Smartphone vor Malware schützen".

[39] [39]
"Android-Nutzer: Achtung vor Trojaner-Adware Shedun - Check & Secure -". - Check & Secure -.

[40] [40]
"New Android adware tries to root your phone so you can't remove it". ExtremeTech.

[41] [41]
"More than 20,000 apps auto-root Android devices". SC Magazine UK. 30 January 2022.

[theregister.co.uk-42] [42]
"Android's accessibility service grants god-mode p0wn power". The Register.

[43] [43]
"Trojanized adware family abuses accessibility service to install whatever apps it wants | Lookout Blog". Blog.lookout.com. 19 November 2015. Retrieved 10 April 2016.

[44] [44]
"Shedun trojan adware is hitting the Android Accessibility Service". Theinquirer.net. Archived from the original on 20 November 2015. Retrieved 20 April 2016.{{cite web}}: CS1 maint: unfit URL (link)

[45] [45]
"Shedun adware can install any malicious mobile appSecurity Affairs". Security Affairs. 22 November 2015.

[46] [46]
Shedun gaining accessibility service privileges. 18 November 2015 – via YouTube.

[47] [47]
Dennis Schirrmacher (20 November 2015). "Android-Malware: Werbeterror wie von Geisterhand". Security.

[48] [48]
"Der Adware – Trojaner Shedun". trojaner-info.de. 6 December 2015.

[49] [49]
Swati Khandelwal (20 November 2015). "This Malware Can Secretly Auto-Install any Android App to Your Phone". The Hacker News.

[50] [50]
"Trojaner-Adware installiert selbstständig ungewollte Android-Apps". Areamobile.de. Retrieved 20 April 2016.

[51] [51]
"Shedun: Neue Android-Adware installiert Apps ohne deine Einwilligung". Androidmag. 25 November 2015.

[52] [52]
John Woll (23 November 2015). "Installation auch nach Ablehnung: Neue dreiste Android-Adware".

[53] [53]
"Android Shedun Malware: New Malware That Can Grant Access to Your Phone; Malware Impossible To Be Removed?". Yibada.

[54] [54]
"Gefährliche Android-Schadsoftware: Oft hilft nur neues Gerät". Noz.de. 9 November 2015. Retrieved 20 April 2016.

[55] [55]
"Shedun trojan adware is hitting the Android Accessibility Service". The Inquirer. 20 November 2015. Archived from the original on 20 November 2015. Retrieved 10 April 2016.{{cite news}}: CS1 maint: unfit URL (link)

[56] [56]
"Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire | Lookout Blog". Blog.lookout.com. 4 November 2015. Retrieved 10 April 2016.

[57] [57]
"Shuanet, ShiftyBug and Shedun malware could auto-root your Android". Betanews.com. 5 November 2015. Retrieved 10 April 2016.

[58] [58]
"New Family Of Android Malware Virtually Impossible To Remove: Say Hello To Shedun, Shuanet And ShiftyBug : PERSONAL TECH". Tech Times. 9 November 2015. Retrieved 10 April 2016.

[59] [59]
Goodin, Dan (19 November 2015). "Android adware can install itself even when users explicitly reject it". Ars Technica. Retrieved 10 April 2016.

[60] [60]
"Pavel Ponomariov - Avira Blog". Avira Blog.

[61] [61]
Schwartz, Mathew J. "Android Trojanized Adware 'Shedun' Infections Surge". bankinfosecurity.com.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46]

[47]

[48]

[49]

[50]

[51]

[52]

[53]

[54]

[55]

[56]

[57]

[58]

[59]

[60]

[61]

Shedun

Shedun

See also

References

Share this article: