Android adware installs itself without permission

Adware Shedun takes advantage of legitimate features in Android Accessibility Service

Android adware installs itself without permission
Android adware installs itself without permission

New malware has been discovered which uses a flaw in Android's Accessibility Service to install malware on a user's device without permission. The malware will install itself even when a user explicitly rejects an app installation.

Dubbed Shedun, the malware not only dlownloads unwanted apps, but also attempts to install them by tricking a user into enabling Shedun to control the Accessibility Service, which is designed to provide alternative ways to interact with mobile devices.

According to IT security firm Lookout, the malware doesn't exploit a vulnerability in the service, instead it takes advantage of the service's legitimate features. 

“By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user,” said Michael Bentley, head of research and response at Lookout in a blog post.

After the device is rooted, Shedun (likely masquerading as a popular app or system utility), asks the user to turn on the accessibility service. The messaging is ironically misleading:

“[This app] uses accessibility features to help stop inactive apps you aren't using. You'll see a standard privacy risk reminder, please feel at ease about turning it on,” the malware says during installation.

“First, it lies about what accessibility features do (they do not help stop inactive apps, nor do they provide maximum acceleration). Then it attempts to placate the victim to “feel at ease” about turning on the service – sure, trust them, nothing to worry about,” said Bentley.

He said this requires some victim interaction in that “she must turn on the accessibility service initially if she falls for the “feel at ease” message”. From there the installation of further apps is automatic.

“Shedun then shows the victim a pop-up advertisement for another application. When the victim clicks away from the pop up, the app downloads anyway. As soon as the download is complete, Shedun uses the accessibility service to automatically approve all the permissions for the app and install it–without any additional user interaction,” added Bentley.

He said the malware uses this technique to increase its revenue by guaranteeing the installation and execution of advertised applications. 

“After all, marketing companies pay more money for advertising campaigns where the user actually interacts with the application after downloading it instead of simply downloading and forgetting about it. In this case, Shedun takes that choice away, leaving the user angry at the advertised app that they have been forced to experience, while simultaneously taking the money from ad agencies, despite having violated their policies,” said Bentley.

He added that this type of malware is evolving quickly and more sophisticated families of the malware such as this would surface in the future.

Check Point's security engineering manager, Ian Porteous, told SCMagazineUK.com that malware that uses root exploits written to Android's system directory, from which the user cannot simply remove apps manually, is a trend that's becoming increasingly common. 

“We saw this kind of behaviour with the ‘BrainTest' malware family that was discovered roaming freely in Google's official app store by Check Point researchers,” he said. “The purpose of the malware seems to be data theft.”

“To protect against these types of infection, organisations should use up to date mobile security software that is capable of identifying these threats.  If the threat reappears on the device after the first installation, it means that the malware has managed to persist on the device, in which case the device may need to be re-flashed with an official ROM,” he added.

Steve Manzuik, director of Security Research at Duo Security, told SCMagazineUK.com that its important to point out that the infected application as demonstrated by Lookout does not actually exist on the official Google Play store.

“This means that only users who are downloading and installing applications from unofficial sources are at risk. Obviously, it is not recommended that users put themselves at risk in this way,” he said.

He added that users should only download applications from the official Google Play Store. In addition, users should pay attention to what permissions an application is asking for before allowing it to install.

“Other standard security advice such as do not visit links that appear to be suspicious or run unknown attachments on the device also apply here. It is important to reiterate that this malware was not found on the official Play Store and that Google has a process in place to identify and remove malicious applications,” added Manzuik.