Skip to content ↓ | Skip to navigation ↓

Security researchers have spotted a type of malware that uses social engineering to trick users into enabling it to automatically install apps on their Android devices.

Michael Bentley, the head of research and response at mobile cybersecurity firm Lookout, has published a blog post in which he explains how a so-called “trojanized adware” known as Shedun attempts to assume control of the Android Accessibility Service, a service which is designed to provide users with alternate ways of interacting with their mobile devices.

“Shedun does not exploit a vulnerability in the service,” Bentley explains. “Instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.”

shedun trojanized adware accessibility service
Source: Lookout

The malware tries to trick users with the message that by turning on “accessibilit features”, it will be able to stop inactive apps that the victim is not using.

Once Shedun has assumed control of the Accessibility Service (video available here), it can then install whichever apps it wants with little-to-no user interaction and engage in “aggressive advertising”.

The malware is one of three app families–Shedun, Shuanet, and ShiftyBug–that masquerades as legitimate apps, such as Facebook and Candy Crush, on third-party Android app stores. If a user installs one of these apps, Shedun or one of the other malware will root the device and install itself as a system application, thereby making it very difficult for victims to uninstall.

“For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone,” Bentley wrote in a blog post published earlier this month. “Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy.”

As Ars Technica warns, users should be cautious when installing apps from third-party stores and should be suspicious of any apps that attempt to gain control of the Accessibility Service.

Tripwire University
  • Nigel Tolley

    Is there even a strong warning about giving up control over what is effectively root?
    I’ll not give that permission to anything not 100% trusted now, but only because I’ve just been warned by this article.
    Thanks for the heads up.