Android users have long been warned of the dangers of downloading applications for their devices through third party stores, some so bad that they 'root' the device - needing expert attention, or even worse, forcing users to replace their phones altogether.
That warning has received another boost from mobile security company, Lookout, that discovered over 20,000 instances of trojanised malware disguised as popular applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter and WhatsApp, all downloaded from third-party app stores.
Lookout said malicious actors behind these families repackaged and injected malicious code into thousands of popular applications found in Google Play, and later published them to third-party app stores.
“We believe many of these apps are actually fully-functional, providing their usual services, in addition to the malicious code that roots the device,” the company said in a blog post.
Lookout said that, unlike older iterations of this type of malware that were ‘obvious and obnoxious’, these applications root the device without the user’s knowledge. The firm went on to say that users would likely not be able to remove the malware.
By rooting a device the malware creates an additional security risk for business and individuals alike, as other apps can then get root access to the device, giving them unrestricted access to files outside traditional permissions. Usually applications are not allowed to access the files created by other applications, however with root access, those limitation are easily bypassed.
Lookout said that, over the past year, it studied three interconnected families of adware. The first, Shuanet, Kemoge, (or ShiftyBug) and GhostPush. It claims that the three are responsible for over 20,000 repackaged apps.