Skip to main content

Watch out! This Android malware melds to your OS, and is near impossible to delete

history of malware android
Image used with permission by copyright holder
Security company Lookout is warning Android device owners about a new type of malware app, which not only secretly roots your phone, but also installs itself as a system application — making it extremely difficult to remove. How difficult? If you’re not technically inclined enough to entirely replace the ROM, then a brand-new phone may be the easiest way to escape its clutches.

Lookout refers to the virus as trojanized adware, and it’s hiding inside apps that appear to be legitimate versions of very popular apps, including Facebook, Twitter, Candy Crush, NYTimes, Google Now, Snapchat, and WhatsApp. The company has even seen compromised versions of two-step authentication app Okta.

However, before you start desperately trying to uninstall those apps from your phone, the malware-infected versions aren’t the originals, and have only been discovered in third-party app stores, not Google Play. If you’ve only been playing inside Google’s store, then you should be fine.

The infected apps are very clever. Lookout has detected 20,000 examples, and most work in exactly the same way as the apps they copy, making it more difficult for you to detect and therefore, less likely to try and uninstall it. With root access to your phone, the app becomes ingrained in the OS, which is how it becomes almost impossible to delete. Once up and running, ads will be pushed to your phone, and worse, apps can be downloaded and installed without your consent. Why? Because delivering ads and installing apps make the attackers money.

Apps infected with the trojans — known as Shuanet, Kemoge/ShiftyBug, and Shedun/GhostPush — have been discovered in many parts of the world, with the U.S, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia being the worst hit, according to the report. Lookout warns this type of adware attack will only get more sophisticated, and make better use of root access to a phone, over time.

If you’ve been downloading apps from Android app stores other than Google Play (Amazon is probably safe too), and are worried you may have fallen victim to the trojanized adware, there’s a sure way to find out. Remember, the infected apps almost certainly cannot be uninstalled. If you can drag and uninstall the app, chances are it’s fine. Lookout doesn’t provide a complete list of apps that have been targeted by the malware, but does say it’s popular “first-tier” apps that are repackaged and sent out.

Editors' Recommendations

Andy Boxall
Senior Mobile Writer
Andy is a Senior Writer at Digital Trends, where he concentrates on mobile technology, a subject he has written about for…
Microsoft Defender antivirus software to roll out to iOS, Android this year
Samsung Galaxy S10 Plus vs. iPhone XS Max

An iOS and Android version of Microsoft Defender will be released this year, bringing the antivirus software to mobile devices for the first time.

In an official blog post, it was revealed that Microsoft Defender Advanced Threat Protection has added support for Linux, joining Windows and macOS. Microsoft also said that there are plans to expand the program to iOS and Android, which will further extend the reach of the antivirus software.

Read more
Delete these eight malware-ridden Android apps immediately
microsoft security intelligence report 2016 online piracy

Security researchers from the firm Check Point have discovered two families of malware in apps on the Google Play Store: a new family called Haken and the resurgence of an older family called Joker.

Both families are "clicker" malware, meaning they take over users' devices and fraudulently mimic clicks on ads. They can also access huge amounts of data, including anything displayed on screen or locally stored on a device. As well as stealing data, the malware can also sign up users for premium subscriptions they did not agree to.

Read more
You need to delete these 24 malware-infested Android apps right now
Android 10 Assistant Navigation

A number of apps have recently made their way into the Google Play Store with a little something extra: malware.
The malware, which has been dubbed “Joker,” is designed to sneakily sign users up for subscription services, ones that they might be charged for over the course of several months before they even realize that they’re subscribed.
Cybersecurity researcher Aleksejs Kuprins explained the issue in detail in a Medium post.
The malware appears to be targeting specific countries, including  Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and the United States.
The majority of the apps in question targeted specifically European and Asian countries and required a user to be using a SIM card from those regions in order for the malware to execute. In total 24 different apps were infected with the malware. Those apps were installed roughly 472,000 times. Metadata suggests that the apps started their campaigns in June 2019, although some may have also existed in the past.
That said, Kuprins notes that Google seems to be on top of the issue. Google removed all of the impacted apps from the Google Play store without any contact from the security researchers. 

Here's the list of apps infected with the Joker malware:

Read more