Shedun

Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet^[1][2][3]) targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000^[4] popular Android applications.^{[3][5][6][7][8]} Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.^[9][10]

Avira Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day.^[11] All three variants of the virus are known to share roughly ~80% of the same source code.^[12][13]

In mid 2016, arstechnica reported that approximately 10.000.000 devices would be infected by this malware^[14] and that new infections would still be surging.^[15][16]

The malware's primary attack vector is repackaging legitimate Android applications (e.g. Facebook, Twitter, WhatsApp, Candy Crush, Google Now, Snapchat^[17])^[4][18][19] with adware included. The app which remains functional is then released to a third party app store;^[20] once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation^[19]), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to root affected devices and re-flash a custom ROM.^[21][22]

In addition, Shedun-type malware has been detected pre-installed on 26 different types^[23] of Chinese Android-based hardware such as Smartphones and Tablet computers.^{[24][25][26][27][28][29][30][31][32][33][34][35][36]}

Shedun-family malware is known for auto-rooting the Android OS^[18][37] using well-known exploits like ExynosAbuse, Memexploit and Framaroot^[38] (causing a potential privilege escalation^[19][39][40])^[41] and for serving trojanized adware and installing themselves within the system partition of the operating system, so that not even a factory reset can remove the malware from infected devices.^[42][43]

Shedun malware is known for targeting the Android Accessibility Service,^{[2][42][44][45][46][47][48]} as well as for downloading and installing arbitrary applications^[49] (usually adware) without permission.^[3] It is classified as "aggressive adware" for installing potentially unwanted program^[50][51][52] applications and serving ads.^[53]

As of April 2016, Shedun malware is considered by most security researchers to be next to impossible to entirely remove.^{[54][55][56][57][58][59]}

Avira Security researcher Pavel Ponomariov, who specializes in Android malware detection tools, mobile threat detection, and mobile malware detection automation research,^[60] has published an in-depth analysis of this malware.^[11]

The countries most infected by this virus were in Asia including China, India, Philippines, Indonesia and Turkey.^[61]

See also

• Brain Test
• Dendroid (Malware)
• Computer virus
• File binder
• Individual mobility
• Malware
• Trojan horse (computing)
• Worm (computing)
• Mobile operating system

References

1. by @HackTheW0r1d (5 November 2015). "Shuanet, ShiftyBug and Shedun malware could auto-root your Android – HackBails". Hackbails.wordpress.com. Retrieved 2 October 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)
2. "Android Adware Abuses Accessibility Service to Install Apps". SecurityWeek.com. Retrieved 20 April 2016.
3. Manish Singh (23 November 2015). "New Android Adware Can Download, Install Apps Without Permission: Report". NDTV Gadgets360.com.
4. "Three new malware strains infect 20k apps, impossible to wipe, only affect Android". AppleInsider Forums. 5 November 2015.
5. Eran, Daniel (5 November 2015). "Three new malware strains infect 20k apps, impossible to wipe, only affect Android". Appleinsider.com. Retrieved 2 October 2016.
6. "Android Malware On The Loose: Shuanet, ShiftyBug And Shedun Signatures Found On 20,000 Apps Outside Google Play Store". Droid Report.
7. "Shedun Trojan goes solo". Darkmatters. Archived from the original on 8 April 2016. Retrieved 18 April 2016.
8. "Popular Mobile Apps Repackaged with Trojans". Lavasoft. 4 November 2015. Retrieved 2 October 2016.
9. "Another month, another new rooting malware family for Android". blog.elevenpaths.com. Archived from the original on 10 October 2016. Retrieved 9 October 2016.
10. "DIY Attribution, Classification, and In-depth Analysis of Mobile Malware". Check Point Blog. 11 July 2016. Retrieved 9 October 2016.
11. "Shedun: adware/malware family threatening your Android device". Avira Blog. 3 September 2015.
12. "Neue Welle von Android-Malware lässt sich kaum mehr entfernen". Elektronikpraxis.vogel.de. Retrieved 20 April 2016.
13. PMK Presse, Messe & Kongresse Verlags GmbH. "Gemeinsamkeiten: Shuanet, Shedun & ShiftyBug". Itseccity.de. Retrieved 20 April 2016.
14. Dan Goodin - Jul 7, 2016 5:50 pm UTC (7 July 2016). "10 million Android phones infected by all-powerful auto-rooting apps". Ars Technica. Retrieved 2 October 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)
15. "Android Trojanized Adware 'Shedun' Infections Surge". Bankinfosecurity.com. 8 July 2016. Retrieved 2 October 2016.
16. "Android Trojanized Adware 'Shedun' Infections Surge". www.linkedin.com.
17. "Android-Malware: Adware war gestern. Android-Trojaner auf dem Vormarsch". botfrei Blog. 9 November 2015.
18. "New type of auto-rooting Android adware is nearly impossible to remove". Ars Technica. 4 November 2015.
19. Michael Mimoso (4 November 2015). "Shuanet Adware Roots Android Devices - Threatpost - The first stop for security news". Threatpost - The first stop for security news.
20. "Adware Shedun nistet sich gegen den Willen der Nutzer in Android ein". ITespresso.de. 23 November 2015.
21. "Android Trojan Software Morphs Into Real Apps, Nearly Impossible To Remove From Device's System: Report". Yibada.
22. "Android-Malware: Neue Schadsoftware rootet Geräte und ist kaum zu entfernen - Golem.de".
23. Swati Khandelwal (3 September 2015). "26 Android Phone Models Shipped with Pre-Installed Spyware". The Hacker News.
24. "G Data : Mobile Malware Report" (PDF). Public.gdatasoftware.com. Archived from the original (PDF) on 15 February 2017. Retrieved 20 April 2016.
25. Catalin Cimpanu (4 September 2015). "24 Chinese Android Smartphone Models Come with Pre-Installed Malware". softpedia.
26. David Gilbert (12 November 2015). "Amazon Selling $40 Android Tablets That Come With Pre-Installed Malware". International Business Times.
27. "Chinese smartphones infected with pre-installed malwareSecurity Affairs". Security Affairs. 2 September 2015.
28. "Chinese Android smartphones now shipping with pre-installed malware". SC Magazine. Archived from the original on 7 May 2016. Retrieved 18 April 2016.
29. Diane Samson. "Malware Found Pre-Installed on Xiaomi, Huawei, Lenovo Phones". iDigitalTimes.com. Archived from the original on 23 August 2016. Retrieved 18 April 2016.
30. "Amazon's $40 Chinese Android Tablets Infected With Pre-Installed Malware". Design & Trend. Archived from the original on 15 February 2017. Retrieved 18 April 2016.
31. Jeremy Kirk (5 March 2014). "Pre-installed malware found on new Android phones". Computerworld.
32. "G Data : Mobile Malware Report" (PDF). Public.gdatasoftware.com. Archived from the original (PDF) on 10 March 2016. Retrieved 20 April 2016.
33. Waqas (14 November 2015). "Amazon Store, a safe haven for Android Tablets with pre-installed malware". HackRead.
34. "Pre-Installed Android Malware Raises Security Risks in Supply Chain". October 2021.
35. "Some Android Phones Come With Malware Pre-Installed: Report". The Huffington Post. Archived from the original on 30 May 2016. Retrieved 18 April 2016.
36. "Brand New Android Smartphones Coming with Spyware and Malware". WCCFtech. 4 September 2015.
37. "Trojan adware on Android can give itself root access". The Tech Report. 5 November 2015.
38. "Shedun, Shuanet und Shiftybug: Android-Smartphone vor Malware schützen".
39. "Android-Nutzer: Achtung vor Trojaner-Adware Shedun - Check & Secure -". - Check & Secure -.
40. "New Android adware tries to root your phone so you can't remove it". ExtremeTech.
41. "More than 20,000 apps auto-root Android devices". SC Magazine UK. 30 January 2022.
42. "Android's accessibility service grants god-mode p0wn power". The Register.
43. "Trojanized adware family abuses accessibility service to install whatever apps it wants | Lookout Blog". Blog.lookout.com. 19 November 2015. Retrieved 10 April 2016.
44. "Shedun trojan adware is hitting the Android Accessibility Service". Theinquirer.net. Archived from the original on 20 November 2015. Retrieved 20 April 2016.{{cite web}}: CS1 maint: unfit URL (link)
45. "Shedun adware can install any malicious mobile appSecurity Affairs". Security Affairs. 22 November 2015.
46. Shedun gaining accessibility service privileges. 18 November 2015 – via YouTube.
47. Dennis Schirrmacher (20 November 2015). "Android-Malware: Werbeterror wie von Geisterhand". Security.
48. "Der Adware – Trojaner Shedun". trojaner-info.de. 6 December 2015.
49. Swati Khandelwal (20 November 2015). "This Malware Can Secretly Auto-Install any Android App to Your Phone". The Hacker News.
50. "Trojaner-Adware installiert selbstständig ungewollte Android-Apps". Areamobile.de. Retrieved 20 April 2016.
51. "Shedun: Neue Android-Adware installiert Apps ohne deine Einwilligung". Androidmag. 25 November 2015.
52. John Woll (23 November 2015). "Installation auch nach Ablehnung: Neue dreiste Android-Adware".
53. "Android Shedun Malware: New Malware That Can Grant Access to Your Phone; Malware Impossible To Be Removed?". Yibada.
54. "Gefährliche Android-Schadsoftware: Oft hilft nur neues Gerät". Noz.de. 9 November 2015. Retrieved 20 April 2016.
55. "Shedun trojan adware is hitting the Android Accessibility Service". The Inquirer. 20 November 2015. Archived from the original on 20 November 2015. Retrieved 10 April 2016.{{cite news}}: CS1 maint: unfit URL (link)
56. "Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire | Lookout Blog". Blog.lookout.com. 4 November 2015. Retrieved 10 April 2016.
57. "Shuanet, ShiftyBug and Shedun malware could auto-root your Android". Betanews.com. 5 November 2015. Retrieved 10 April 2016.
58. "New Family Of Android Malware Virtually Impossible To Remove: Say Hello To Shedun, Shuanet And ShiftyBug : PERSONAL TECH". Tech Times. 9 November 2015. Retrieved 10 April 2016.
59. Goodin, Dan (19 November 2015). "Android adware can install itself even when users explicitly reject it". Ars Technica. Retrieved 10 April 2016.
60. "Pavel Ponomariov - Avira Blog". Avira Blog.
61. Schwartz, Mathew J. "Android Trojanized Adware 'Shedun' Infections Surge". bankinfosecurity.com.