Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet) targeting the Android operating system first identified in late 2015 by mobile security company

Lookout A lookout or look-out is a person in charge of the observation of hazards. The term originally comes from a naval background, where lookouts would watch for other ships, land, and various dangers. The term has now passed into wider parlance. ...

, affecting roughly 20,000 popular Android applications. Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.

Avira Avira Operations GmbH is a German multinational computer security software company mainly known for their Avira Free Security antivirus software. Avira was founded in 2006, but the antivirus application has been under active development since ...

Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day. All three variants of the virus are known to share roughly ~80% of the same source code. In mid 2016, arstechnica reported that approximately 10.000.000 devices would be infected by this malware and that new infections would still be surging. The malware's primary attack vector is repackaging legitimate Android applications (e.g.

Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin Mosk ...

Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...

WhatsApp WhatsApp (also called WhatsApp Messenger) is an internationally available freeware, cross-platform, centralized instant messaging (IM) and voice-over-IP (VoIP) service owned by American company Meta Platforms (formerly Facebook). It allows use ...

, Candy Crush, Google Now, Snapchat) with adware included. The app which remains functional is then released to a third party app store; once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to

root In vascular plants, the roots are the organs of a plant that are modified to provide anchorage for the plant and take in water and nutrients into the plant body, which allows plants to grow taller and faster. They are most often below the su ...

affected devices and re-flash a custom

ROM Rom, or ROM may refer to: Biomechanics and medicine * Risk of mortality, a medical classification to estimate the likelihood of death for a patient * Rupture of membranes, a term used during pregnancy to describe a rupture of the amniotic sac * ...

. In addition, Shedun-type malware has been detected pre-installed on 26 different types of Chinese Android-based hardware such as

Smartphone A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, whic ...

s and

Tablet computer A tablet computer, commonly shortened to tablet, is a mobile device, typically with a mobile operating system and touchscreen display processing circuitry, and a rechargeable battery in a single, thin and flat package. Tablets, being com ...

s. Shedun-family malware is known for auto- rooting the Android OS using well-known exploits like ExynosAbuse, Memexploit and Framaroot (causing a potential

privilege escalation Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The re ...

) and for serving trojanized

adware Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the ...

and installing themselves within the system partition of the

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also i ...

, so that not even a factory reset can remove the malware from infected devices. Shedun malware is known for targeting the Android Accessibility Service, as well as for downloading and installing arbitrary applications (usually

) without permission. It is classified as "aggressive adware" for installing

potentially unwanted program A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software ma ...

applications and serving ads. As of April 2016, Shedun malware is considered by most security researchers to be next to impossible to entirely remove.

Security researcher Pavel Ponomariov, who specializes in Android malware detection tools, mobile threat detection, and mobile malware detection automation research, has published an in-depth analysis of this malware. The countries most infected by this virus were in Asia including China, India, Philippines, Indonesia and Turkey.

References

{{Use dmy dates, date=August 2016 Software distribution Trojan horses Social engineering (computer security) Rootkits Privilege escalation exploits Adware Online advertising Android (operating system) malware Mobile security Spyware Privacy Cybercrime in India

See also

References