Shedun Trojan uses legitimate functions of Android for deception of victims

Not so long ago specialists from Lookout Company reported the appearance of a very unpleasant family of mobile malware, which includes Trojans Shedun (GhostPush), Kemoge (ShiftyBug) and Shuanet. Precisely about this malware experts said that it is almost impossible to remove and it is easier to buy a new smart phone. Now, experts from Lookout noticed another unpleasant thing: the Trojan Shedun is able to install third party malicious applications on the user’s device without user’s permission.

Malware performs a clever trick, using Android Accessibility Service component for their profit. This component allows to visually impaired users to alternate ways to interact with the device.

So, let’s take a look how it works. First, the device becomes infected with Shedun Trojan, disguised as a legitimate application (there are plenty of those in unofficial stores). Once in the system, Shedun starts to cheat. It does not try to exploit any bug in the Accessibility Service, instead, the Trojan uses a documented OS functions. First it displays a dialog box, for example, promising to help user to get rid of unwanted advertising. Allegedly for that you just need to turn on Accessibility Service. It is ironic, given that the Shedun, Kemoge and Shuanet family called Trojan-adware – after infecting a system, the malware is literally flooding victims with advertisings, which is the main objective of the malware. Sometimes Shedun proposes to enable Accessibility Service to control the applications that are running in the background. Allegedly, the service helps to stop them in time and save device resources.

Then Shedun shows pop-up banner to the victim that cannot be closed (no matter where the user clicks – application will be downloaded). Since Accessibility Service is already enabled, malware is able to read the text on the screen, notice prompt message about application installation, scroll through the list of permissions required to install the application and even click on the “install” button, without user’s intervention. The process takes a few seconds and user may not even notice it.

All of this is worrying experts, especially in combination with the fact that Shedun, Kemoge and Shuanet installed so deeply in the system that to get rid of them the simple reset of the device to factory settings and complete removal of the entire system might not help. Experts from Lookout are saying that this type of malware is evolving very quickly and we can expect the appearance of more sophisticated representatives of this kind of malware.

Earlier, the Lookout Company has found more than 20 000 different Android applications containing Kemoge, Shedun and Shuanet malware. Those are mainly imitations of actually existing popular programs. The infection was spread to many different countries, including the United States, Russia, Germany, Iran, India, Jamaica, Sudan, Brazil, Mexico and Indonesia.

Remember, to prevent the infection with such malware you should always avoid third party application stores. Never trust to unknown programs developers and do not download applications from unofficial websites.