Jump to content

Shedun: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Cydebot (talk | contribs)
6,812,251 edits
m Robot - Speedily moving category Mobile Malware to Category:Mobile malware per CFDS.
Citation bot (talk | contribs)
Bots
5,416,934 edits
Added date. | Use this bot. Report bugs. | Suggested by Whoop whoop pull up | Category:Social engineering (security) | #UCB_Category 6/52
 
(38 intermediate revisions by 24 users not shown)
Line 1: Line 1:
{{Short description|Android based malware}}
'''Shedun''' is a family of [[malware]] software (also known as Kemoge, Shiftybug and Shuanet<ref>{{cite web|author=by @HackTheW0r1d |url=https://hackbails.wordpress.com/2015/11/05/trojanized-adware-already-infected-more-than-20000-android-apps/ |title=Shuanet, ShiftyBug and Shedun malware could auto-root your Android – HackBails |publisher=Hackbails.wordpress.com |date=2015-11-05 |accessdate=2016-10-02}}</ref><ref name="securityweek.com">{{cite web|url=http://www.securityweek.com/android-adware-abuses-accessibility-service-install-apps|title=Android Adware Abuses Accessibility Service to Install Apps |website=SecurityWeek.com|accessdate=2016-04-20}}</ref><ref name="manishsingh">{{cite web|url=http://gadgets.ndtv.com/apps/news/new-android-adware-can-download-install-apps-without-permission-report-768664|title=New Android Adware Can Download, Install Apps Without Permission: Report|author=Manish Singh|work=NDTV Gadgets360.com}}</ref>) targeting the [[Android (operating system)]] first identified in late 2015 by mobile security company [[Lookout (company)]], affecting roughly 20,000<ref name="appleinsider.com">{{cite web|url=http://forums.appleinsider.com/discussion/189949/three-new-malware-strains-infect-20k-apps-impossible-to-wipe-only-affect-android|title=Three new malware strains infect 20k apps, impossible to wipe, only affect Android|work=AppleInsider Forums}}</ref> popular Android applications.<ref name="manishsingh"/><ref name="dailymail.co.uk">{{cite web|url=http://www.dailymail.co.uk/sciencetech/article-3306142/Hackers-reveal-Android-malware-IMPOSSIBLE-remove-Malicious-bug-20-000-apps.html|title=Hackers reveal Android trojan malware that is IMPOSSIBLE to remove|date=5 November 2015|work=Mail Online}}</ref><ref>{{cite web|last=Eran |first=Daniel |url=http://appleinsider.com/articles/15/11/05/three-new-malware-strains-infect-20k-apps-impossible-to-wipe-only-affect-android |title=Three new malware strains infect 20k apps, impossible to wipe, only affect Android |publisher=Appleinsider.com |date=2015-11-05 |accessdate=2016-10-02}}</ref><ref>{{cite web|url=http://www.droidreport.com/android-malware-loose-shuanet-shiftybug-shedun-signatures-found-20000-apps-outside-google-11664|title=Android Malware On The Loose: Shuanet, ShiftyBug And Shedun Signatures Found On 20,000 Apps Outside Google Play Store|work=Droid Report}}</ref><ref>{{cite web|url=http://darkmatters.norsecorp.com/2015/11/20/shedun/|title=Shedun Trojan goes solo|work=Darkmatters}}</ref><ref>{{cite web|url=http://lavasoft.com/mylavasoft/company/blog/popular-mobile-apps-repackaged-with-trojans |title=Popular Mobile Apps Repackaged with Trojans |publisher=Lavasoft |date=2015-11-04 |accessdate=2016-10-02}}</ref> Lookout claimed the [[Hummingbad|HummingBad]] malware was also a part of the Shedun family, however, these claims were refuted.<ref>{{Cite web|url=http://blog.elevenpaths.com/2016/07/another-month-another-new-rooting.html|title=Another month, another new rooting malware family for Android|website=blog.elevenpaths.com|access-date=2016-10-09}}</ref><ref>{{Cite web|url=http://blog.checkpoint.com/2016/07/11/diy-attribution-classification-depth-analysis-mobile-malware/|title=DIY Attribution, Classification, and In-depth Analysis of Mobile Malware|date=2016-07-11|website=Check Point Blog|access-date=2016-10-09}}</ref>
'''Shedun''' is a family of [[malware]] software (also known as Kemoge, Shiftybug and Shuanet<ref>{{cite web|author=by @HackTheW0r1d |url=https://hackbails.wordpress.com/2015/11/05/trojanized-adware-already-infected-more-than-20000-android-apps/ |title=Shuanet, ShiftyBug and Shedun malware could auto-root your Android – HackBails |publisher=Hackbails.wordpress.com |date=2015-11-05 |accessdate=2016-10-02}}</ref><ref name="securityweek.com">{{cite web|url=http://www.securityweek.com/android-adware-abuses-accessibility-service-install-apps|title=Android Adware Abuses Accessibility Service to Install Apps |website=SecurityWeek.com|date=20 November 2015 |accessdate=2016-04-20}}</ref><ref name="manishsingh">{{cite web|url=http://gadgets.ndtv.com/apps/news/new-android-adware-can-download-install-apps-without-permission-report-768664|title=New Android Adware Can Download, Install Apps Without Permission: Report|author=Manish Singh|work=NDTV Gadgets360.com|date=23 November 2015 }}</ref>) targeting the [[Android (operating system)|Android operating system]] first identified in late 2015 by mobile security company [[Lookout (IT security)|Lookout]], affecting roughly 20,000<ref name="appleinsider.com">{{cite web|url=http://forums.appleinsider.com/discussion/189949/three-new-malware-strains-infect-20k-apps-impossible-to-wipe-only-affect-android|title=Three new malware strains infect 20k apps, impossible to wipe, only affect Android|work=AppleInsider Forums|date=5 November 2015 }}</ref> popular Android applications.<ref name="manishsingh"/><ref>{{cite web|last=Eran |first=Daniel |url=http://appleinsider.com/articles/15/11/05/three-new-malware-strains-infect-20k-apps-impossible-to-wipe-only-affect-android |title=Three new malware strains infect 20k apps, impossible to wipe, only affect Android |publisher=Appleinsider.com |date=2015-11-05 |accessdate=2016-10-02}}</ref><ref>{{cite web|url=http://www.droidreport.com/articles/2516/20151110/android-malware-loose-shuanet-shiftybug-shedun-signatures-found-20000-apps-outside-google.htm|title=Android Malware On The Loose: Shuanet, ShiftyBug And Shedun Signatures Found On 20,000 Apps Outside Google Play Store|work=Droid Report}}</ref><ref>{{cite web|url=http://darkmatters.norsecorp.com/2015/11/20/shedun/|title=Shedun Trojan goes solo|work=Darkmatters|access-date=18 April 2016|archive-date=8 April 2016|archive-url=https://web.archive.org/web/20160408145243/http://darkmatters.norsecorp.com/2015/11/20/shedun/|url-status=dead}}</ref><ref>{{cite web|url=http://lavasoft.com/mylavasoft/company/blog/popular-mobile-apps-repackaged-with-trojans |title=Popular Mobile Apps Repackaged with Trojans |publisher=Lavasoft |date=2015-11-04 |accessdate=2016-10-02}}</ref> Lookout claimed the [[Hummingbad|HummingBad]] malware was also a part of the Shedun family, however, these claims were refuted.<ref>{{Cite web|url=http://blog.elevenpaths.com/2016/07/another-month-another-new-rooting.html|title=Another month, another new rooting malware family for Android|website=blog.elevenpaths.com|access-date=2016-10-09|archive-date=10 October 2016|archive-url=https://web.archive.org/web/20161010173521/http://blog.elevenpaths.com/2016/07/another-month-another-new-rooting.html|url-status=dead}}</ref><ref>{{Cite web|url=http://blog.checkpoint.com/2016/07/11/diy-attribution-classification-depth-analysis-mobile-malware/|title=DIY Attribution, Classification, and In-depth Analysis of Mobile Malware|date=2016-07-11|website=Check Point Blog|access-date=2016-10-09}}</ref>


[[Avira]] Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day.<ref name="avira.com">{{cite web|url=http://blog.avira.com/shedun/|title=Shedun: adware/malware family threatening your Android device|work=Avira Blog}}</ref>
[[Avira]] Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day.<ref name="avira.com">{{cite web|url=http://blog.avira.com/shedun/|title=Shedun: adware/malware family threatening your Android device|work=Avira Blog|date=3 September 2015}}</ref>
All three variants of the virus are known to share roughly ~80% of the same source code.<ref>{{cite web|url=http://www.elektronikpraxis.vogel.de/iot/security/articles/510900/|title=Neue Welle von Android-Malware lässt sich kaum mehr entfernen|website=Elektronikpraxis.vogel.de|accessdate=2016-04-20}}</ref><ref>{{cite web|url=http://www.itseccity.de/virenwarnung/hintergrund/lookout021215.html|title=Gemeinsamkeiten: Shuanet, Shedun & ShiftyBug|author=PMK Presse, Messe & Kongresse Verlags GmbH|website=Itseccity.de|accessdate=2016-04-20}}</ref>
All three variants of the virus are known to share roughly ~80% of the same source code.<ref>{{cite web|url=http://www.elektronikpraxis.vogel.de/iot/security/articles/510900/|title=Neue Welle von Android-Malware lässt sich kaum mehr entfernen|website=Elektronikpraxis.vogel.de|accessdate=2016-04-20|archive-date=15 February 2017|archive-url=https://web.archive.org/web/20170215124907/http://www.elektronikpraxis.vogel.de/iot/security/articles/510900/|url-status=dead}}</ref><ref>{{cite web|url=http://www.itseccity.de/virenwarnung/hintergrund/lookout021215.html|title=Gemeinsamkeiten: Shuanet, Shedun & ShiftyBug|author=PMK Presse, Messe & Kongresse Verlags GmbH|website=Itseccity.de|accessdate=2016-04-20}}</ref>


In mid 2016, arstechnica reported that approximately 10.000.000 devices would be infected by this malware <ref name="arstechnica1">{{cite web|author=Dan Goodin - Jul 7, 2016 5:50 pm UTC |url=http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/ |title=10 million Android phones infected by all-powerful auto-rooting apps |publisher=Ars Technica |date=2016-07-07 |accessdate=2016-10-02}}</ref> and that new infections would still be surging.<ref>{{cite web|url=http://www.bankinfosecurity.com/android-trojanized-adware-shedun-infections-surge-a-9249 |title=Android Trojanized Adware 'Shedun' Infections Surge |publisher=Bankinfosecurity.com |date=2016-07-08 |accessdate=2016-10-02}}</ref><ref>https://www.linkedin.com/pulse/android-trojanized-adware-shedun-infections-surge-mike-rogan</ref>
In mid 2016, arstechnica reported that approximately 10.000.000 devices would be infected by this malware<ref name="arstechnica1">{{cite web|author=Dan Goodin - Jul 7, 2016 5:50 pm UTC |url=https://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/ |title=10 million Android phones infected by all-powerful auto-rooting apps |publisher=Ars Technica |date=2016-07-07 |accessdate=2016-10-02}}</ref> and that new infections would still be surging.<ref>{{cite web|url=http://www.bankinfosecurity.com/android-trojanized-adware-shedun-infections-surge-a-9249 |title=Android Trojanized Adware 'Shedun' Infections Surge |publisher=Bankinfosecurity.com |date=2016-07-08 |accessdate=2016-10-02}}</ref><ref>{{Cite web|url=https://www.linkedin.com/pulse/android-trojanized-adware-shedun-infections-surge-mike-rogan|title=Android Trojanized Adware 'Shedun' Infections Surge|website=www.linkedin.com}}</ref>


The malware's primary attack vector is repackaging legitimate Android applications (e.g. [[Facebook apps|Facebook]], [[Twitter]], [[WhatsApp]], Candy Crush, Google Now, Snapchat<ref>{{cite web|url=https://blog.botfrei.de/2015/11/android-trojaner-auf-dem-vormarsch/|title=Android-Malware: Adware war gestern. Android-Trojaner auf dem Vormarsch.|work=botfrei Blog}}</ref>)<ref name="appleinsider.com" /><ref name="auto">{{cite web|url=http://arstechnica.com/security/2015/11/new-type-of-auto-rooting-android-adware-is-nearly-impossible-to-remove/|title=New type of auto-rooting Android adware is nearly impossible to remove|work=Ars Technica}}</ref><ref name="michaelmimoso">{{cite web|url=https://threatpost.com/shuanet-adware-rooting-android-devices-via-trojanized-apps/115265/|title=Shuanet Adware Roots Android Devices - Threatpost - The first stop for security news|author=Michael Mimoso|work=Threatpost - The first stop for security news}}</ref> with adware included, the app which remains functional is then released to a third party app store;<ref>{{cite web|url=http://www.itespresso.de/2015/11/23/shedun-adware-nistet-sich-gegen-den-willen-der-nutzer-in-android-ein/|title=Adware Shedun nistet sich gegen den Willen der Nutzer in Android ein|work=ITespresso.de}}</ref> once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation<ref name="michaelmimoso" />), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to [[Rooting (Android OS)|root]] affected devices and re-flash a custom [[Read-only memory|ROM]].<ref name="dailymail.co.uk" /><ref>{{cite web|url=http://en.yibada.com/articles/82763/20151108/android-trojan-software-morphs-real-apps-nearly-impossible-remove-device.htm|title=Android Trojan Software Morphs Into Real Apps, Nearly Impossible To Remove From Device’s System: Report|work=Yibada}}</ref><ref>{{cite web|url=http://www.golem.de/news/android-malware-schadsoftware-rootet-und-infiziert-geraete-unwiederbringlich-1511-117307.html|title=Android-Malware: Neue Schadsoftware rootet Geräte und ist kaum zu entfernen - Golem.de|publisher=}}</ref>
The malware's primary attack vector is repackaging legitimate Android applications (e.g. [[Facebook apps|Facebook]], [[Twitter]], [[WhatsApp]], Candy Crush, Google Now, Snapchat<ref>{{cite web|url=https://blog.botfrei.de/2015/11/android-trojaner-auf-dem-vormarsch/|title=Android-Malware: Adware war gestern. Android-Trojaner auf dem Vormarsch.|work=botfrei Blog|date=9 November 2015}}</ref>)<ref name="appleinsider.com" /><ref name="auto">{{cite web|url=https://arstechnica.com/security/2015/11/new-type-of-auto-rooting-android-adware-is-nearly-impossible-to-remove/|title=New type of auto-rooting Android adware is nearly impossible to remove|work=Ars Technica|date=4 November 2015}}</ref><ref name="michaelmimoso">{{cite web|url=https://threatpost.com/shuanet-adware-rooting-android-devices-via-trojanized-apps/115265/|title=Shuanet Adware Roots Android Devices - Threatpost - The first stop for security news|author=Michael Mimoso|work=Threatpost - The first stop for security news|date=4 November 2015 }}</ref> with adware included. The app which remains functional is then released to a third party app store;<ref>{{cite web|url=http://www.itespresso.de/2015/11/23/shedun-adware-nistet-sich-gegen-den-willen-der-nutzer-in-android-ein/|title=Adware Shedun nistet sich gegen den Willen der Nutzer in Android ein|work=ITespresso.de|date=23 November 2015}}</ref> once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation<ref name="michaelmimoso" />), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to [[Rooting (Android OS)|root]] affected devices and re-flash a custom [[Read-only memory|ROM]].<ref>{{cite web|url=http://en.yibada.com/articles/82763/20151108/android-trojan-software-morphs-real-apps-nearly-impossible-remove-device.htm|title=Android Trojan Software Morphs Into Real Apps, Nearly Impossible To Remove From Device's System: Report|work=Yibada}}</ref><ref>{{cite web|url=http://www.golem.de/news/android-malware-schadsoftware-rootet-und-infiziert-geraete-unwiederbringlich-1511-117307.html|title=Android-Malware: Neue Schadsoftware rootet Geräte und ist kaum zu entfernen - Golem.de|publisher=}}</ref>


In addition, Shedun-type malware has been detected pre-installed on 26 different types<ref>{{cite web|url=http://thehackernews.com/2015/09/android-smartphone-malware.html|title=26 Android Phone Models Shipped with Pre-Installed Spyware|author=Swati Khandelwal|date=3 September 2015|work=The Hacker News}}</ref> of Chinese Android-based hardware such as [[Smartphone]]s and [[Tablet computer]]s.<ref>{{cite web|url=https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_US.pdf |format=PDF |title=G Data : Mobile Malware Report |website=Public.gdatasoftware.com |accessdate=2016-04-20}}</ref><ref>{{cite web|url=http://news.softpedia.com/news/24-chinese-android-smartphones-models-come-with-pre-installed-malware-490930.shtml|title=24 Chinese Android Smartphone Models Come with Pre-Installed Malware|author=Catalin Cimpanu|date=4 September 2015|work=softpedia}}</ref><ref>{{cite web|url=http://www.ibtimes.com/amazon-selling-40-android-tablets-come-pre-installed-malware-2181424|title=Amazon Selling $40 Android Tablets That Come With Pre-Installed Malware|author=David Gilbert|work=International Business Times}}</ref><ref>{{cite web|url=http://securityaffairs.co/wordpress/39821/hacking/chinese-smartphones-pre-installed-malware.html|title=Chinese smartphones infected with pre-installed malwareSecurity Affairs|work=Security Affairs}}</ref>
In addition, Shedun-type malware has been detected pre-installed on 26 different types<ref>{{cite web|url=http://thehackernews.com/2015/09/android-smartphone-malware.html|title=26 Android Phone Models Shipped with Pre-Installed Spyware|author=Swati Khandelwal|date=3 September 2015|work=The Hacker News}}</ref> of Chinese Android-based hardware such as [[Smartphone]]s and [[Tablet computer]]s.<ref>{{cite web |url=https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_US.pdf |title=G Data : Mobile Malware Report |website=Public.gdatasoftware.com |accessdate=2016-04-20 |archive-date=15 February 2017 |archive-url=https://web.archive.org/web/20170215072736/https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_US.pdf |url-status=dead }}</ref><ref>{{cite web|url=http://news.softpedia.com/news/24-chinese-android-smartphones-models-come-with-pre-installed-malware-490930.shtml|title=24 Chinese Android Smartphone Models Come with Pre-Installed Malware|author=Catalin Cimpanu|date=4 September 2015|work=softpedia}}</ref><ref>{{cite web|url=http://www.ibtimes.com/amazon-selling-40-android-tablets-come-pre-installed-malware-2181424|title=Amazon Selling $40 Android Tablets That Come With Pre-Installed Malware|author=David Gilbert|work=International Business Times|date=12 November 2015}}</ref><ref>{{cite web|url=http://securityaffairs.co/wordpress/39821/hacking/chinese-smartphones-pre-installed-malware.html|title=Chinese smartphones infected with pre-installed malwareSecurity Affairs|work=Security Affairs|date=2 September 2015}}</ref><ref>{{cite web|url=http://www.scmagazine.com/chinese-android-smartphones-now-shipping-with-pre-installed-malware/article/436655/|title=Chinese Android smartphones now shipping with pre-installed malware|work=SC Magazine|access-date=18 April 2016|archive-date=7 May 2016|archive-url=https://web.archive.org/web/20160507000052/http://www.scmagazine.com/chinese-android-smartphones-now-shipping-with-pre-installed-malware/article/436655/|url-status=dead}}</ref><ref>{{cite web|url=http://au.idigitaltimes.com/malware-found-pre-installed-xiaomi-huawei-lenovo-phones-107190|title=Malware Found Pre-Installed on Xiaomi, Huawei, Lenovo Phones|author=Diane Samson|work=iDigitalTimes.com|access-date=18 April 2016|archive-date=23 August 2016|archive-url=https://web.archive.org/web/20160823030514/http://au.idigitaltimes.com/malware-found-pre-installed-xiaomi-huawei-lenovo-phones-107190|url-status=dead}}</ref><ref>{{cite web|url=http://www.designntrend.com/articles/64631/20151113/amazon-s-40-chinese-android-tablets-infected-pre-installed-malware.htm|title=Amazon's $40 Chinese Android Tablets Infected With Pre-Installed Malware|work=Design & Trend|access-date=18 April 2016|archive-date=15 February 2017|archive-url=https://web.archive.org/web/20170215072603/http://www.designntrend.com/articles/64631/20151113/amazon-s-40-chinese-android-tablets-infected-pre-installed-malware.htm|url-status=dead}}</ref><ref>{{cite web|url=http://www.computerworld.com/article/2488173/security0/pre-installed-malware-found-on-new-android-phones.html|title=Pre-installed malware found on new Android phones|author=Jeremy Kirk|date=5 March 2014|work=Computerworld}}</ref><ref>{{cite web |url=https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_EN.pdf |title=G Data : Mobile Malware Report |website=Public.gdatasoftware.com |accessdate=2016-04-20 |archive-date=10 March 2016 |archive-url=https://web.archive.org/web/20160310213705/https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_EN.pdf |url-status=dead }}</ref><ref>{{cite web|url=https://www.hackread.com/amazon-safe-haven-for-android-tablets-malware/|title=Amazon Store, a safe haven for Android Tablets with pre-installed malware|author=Waqas|work=HackRead|date=14 November 2015}}</ref><ref>{{cite web|url=https://tafsiran.com/cara-mengatasi-layanan-google-play-terus-berhenti/|title=Pre-Installed Android Malware Raises Security Risks in Supply Chain|publisher=|date=October 2021}}</ref><ref>{{cite web|url=http://www.huffingtonpost.com/entry/android-malware-pre-installed_us_55e6f2e8e4b0aec9f355271f|title=Some Android Phones Come With Malware Pre-Installed: Report|work=The Huffington Post|access-date=18 April 2016|archive-date=30 May 2016|archive-url=https://web.archive.org/web/20160530075813/http://www.huffingtonpost.com/entry/android-malware-pre-installed_us_55e6f2e8e4b0aec9f355271f|url-status=dead}}</ref><ref>{{cite web|url=http://wccftech.com/brand-android-smartphones-coming-spyware-malware/|title=Brand New Android Smartphones Coming with Spyware and Malware|work=WCCFtech|date=4 September 2015}}</ref>
<ref>{{cite web|url=http://www.scmagazine.com/chinese-android-smartphones-now-shipping-with-pre-installed-malware/article/436655/|title=Chinese Android smartphones now shipping with pre-installed malware|work=SC Magazine}}</ref><ref>{{cite web|url=http://au.idigitaltimes.com/malware-found-pre-installed-xiaomi-huawei-lenovo-phones-107190|title=Malware Found Pre-Installed on Xiaomi, Huawei, Lenovo Phones|author=Diane Samson|work=iDigitalTimes.com}}</ref><ref>{{cite web|url=http://www.designntrend.com/articles/64631/20151113/amazon-s-40-chinese-android-tablets-infected-pre-installed-malware.htm|title=Amazon’s $40 Chinese Android Tablets Infected With Pre-Installed Malware|work=Design & Trend}}</ref><ref>{{cite web|url=http://www.computerworld.com/article/2488173/security0/pre-installed-malware-found-on-new-android-phones.html|title=Pre-installed malware found on new Android phones|author=Jeremy Kirk|date=5 March 2014|work=Computerworld}}</ref><ref>{{cite web|url=https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_EN.pdf |format=PDF |title=G Data : Mobile Malware Report |website=Public.gdatasoftware.com |accessdate=2016-04-20}}</ref><ref>{{cite web|url=https://www.hackread.com/amazon-safe-haven-for-android-tablets-malware/|title=Amazon Store, a safe haven for Android Tablets with pre-installed malware|author=Waqas|work=HackRead}}</ref><ref>{{cite web|url=http://www.eweek.com/security/pre-installed-android-malware-raises-security-risks-in-supply-chain.html|title=Pre-Installed Android Malware Raises Security Risks in Supply Chain|publisher=}}</ref><ref>{{cite web|url=http://www.huffingtonpost.com/entry/android-malware-pre-installed_us_55e6f2e8e4b0aec9f355271f|title=Some Android Phones Come With Malware Pre-Installed: Report|work=The Huffington Post}}</ref><ref>{{cite web|url=http://wccftech.com/brand-android-smartphones-coming-spyware-malware/|title=Brand New Android Smartphones Coming with Spyware and Malware|work=WCCFtech}}</ref><ref>{{cite web|url=https://www.grahamcluley.com/2014/06/chinese-android-malware/|title=Chinese Android smartphone comes with malware pre-installed|work=Graham Cluley}}</ref><ref>{{cite web|url=http://www.ghacks.net/2015/09/08/beware-your-android-phone-might-come-with-preloaded-spyware/|title=Beware, your Android phone might come with preloaded spyware|author=Martin Brinkmann|date=8 September 2015|work=gHacks Technology News}}</ref>
Shedun-family malware is known for auto-[[Rooting (Android OS)|rooting the Android OS]] <ref name="auto"/><ref>{{cite web|url=http://techreport.com/news/29281/trojan-adware-on-android-can-give-itself-root-access|title=Trojan adware on Android can give itself root access|work=The Tech Report}}</ref> using well-known [[Exploit (computer security)|exploits]] like ExynosAbuse, Memexploit and Framaroot <ref>{{cite web|url=http://praxistipps.chip.de/shedun-shuanet-und-shiftybug-android-smartphone-vor-malware-schuetzen_44475|title=Shedun, Shuanet und Shiftybug: Android-Smartphone vor Malware schützen|publisher=}}</ref> (causing a potential [[privilege escalation]]<ref name="michaelmimoso"/><ref>{{cite web|url=http://blog.check-and-secure.com/android-nutzer-achtung-vor-trojaner-adware-shedun_15-11-25/|title=Android-Nutzer: Achtung vor Trojaner-Adware Shedun - Check & Secure -|work=- Check & Secure -}}</ref><ref>{{cite web|url=http://www.extremetech.com/mobile/217544-new-android-adware-tries-to-root-your-phone-so-you-cant-remove-it|title=New Android adware tries to root your phone so you can’t remove it|work=ExtremeTech}}</ref>)<ref>{{cite web|url=http://www.scmagazineuk.com/more-than-20000-apps-auto-root-android-devices/article/451797/|title=More than 20,000 apps auto-root Android devices|work=SC Magazine UK}}</ref> and for serving [[Trojan horse (computing)|trojanized]] [[adware]] and install themselves within the [[Partition (computers)|system partition]] of the [[operating system]], so that not even a [[factory reset]] can remove the malware from infected devices.<ref name="theregister.co.uk">{{cite web|url=http://www.theregister.co.uk/2015/11/20/shedun_adware/|title=Android's accessibility service grants god-mode p0wn power|publisher=}}</ref><ref>{{cite web|url=https://blog.lookout.com/blog/2015/11/19/shedun-trojanized-adware/ |title=Trojanized adware family abuses accessibility service to install whatever apps it wants &#124; Lookout Blog |website=Blog.lookout.com |date=2015-11-19 |accessdate=2016-04-10}}</ref>
Shedun-family malware is known for auto-[[Rooting (Android OS)|rooting the Android OS]]<ref name="auto"/><ref>{{cite web|url=http://techreport.com/news/29281/trojan-adware-on-android-can-give-itself-root-access|title=Trojan adware on Android can give itself root access|work=The Tech Report|date=5 November 2015}}</ref> using well-known [[Exploit (computer security)|exploits]] like ExynosAbuse, Memexploit and Framaroot<ref>{{cite web|url=http://praxistipps.chip.de/shedun-shuanet-und-shiftybug-android-smartphone-vor-malware-schuetzen_44475|title=Shedun, Shuanet und Shiftybug: Android-Smartphone vor Malware schützen|publisher=}}</ref> (causing a potential [[privilege escalation]]<ref name="michaelmimoso"/><ref>{{cite web|url=http://blog.check-and-secure.com/android-nutzer-achtung-vor-trojaner-adware-shedun_15-11-25/|title=Android-Nutzer: Achtung vor Trojaner-Adware Shedun - Check & Secure -|work=- Check & Secure -}}</ref><ref>{{cite web|url=http://www.extremetech.com/mobile/217544-new-android-adware-tries-to-root-your-phone-so-you-cant-remove-it|title=New Android adware tries to root your phone so you can't remove it|work=ExtremeTech|date=5 November 2015 }}</ref>)<ref>{{cite web|url=http://www.scmagazineuk.com/more-than-20000-apps-auto-root-android-devices/article/451797/|title=More than 20,000 apps auto-root Android devices|work=SC Magazine UK|date=30 January 2022 }}</ref> and for serving [[Trojan horse (computing)|trojanized]] [[adware]] and installing themselves within the [[Partition (computers)|system partition]] of the [[operating system]], so that not even a [[factory reset]] can remove the malware from infected devices.<ref name="theregister.co.uk">{{cite web|url=https://www.theregister.co.uk/2015/11/20/shedun_adware/|title=Android's accessibility service grants god-mode p0wn power|website=[[The Register]]|publisher=}}</ref><ref>{{cite web|url=https://blog.lookout.com/blog/2015/11/19/shedun-trojanized-adware/ |title=Trojanized adware family abuses accessibility service to install whatever apps it wants &#124; Lookout Blog |website=Blog.lookout.com |date=2015-11-19 |accessdate=2016-04-10}}</ref>


Shedun malware is known for targeting the [[Android Accessibility Service]],<ref name="securityweek.com"/><ref name="theregister.co.uk"/><ref>{{cite web|url=http://www.theinquirer.net/inquirer/news/2435721/shedun-trojan-adware-is-hitting-the-android-accessibility-service|title=Shedun trojan adware is hitting the Android Accessibility Service|website=Theinquirer.net|accessdate=2016-04-20}}</ref><ref>{{cite web|url=http://securityaffairs.co/wordpress/42164/malware/shedun-trojanized-adware.html|title=Shedun adware can install any malicious mobile appSecurity Affairs|work=Security Affairs}}</ref><ref>{{cite av media|url=https://www.youtube.com/watch?v=VDWmEUm6mQM|title=Shedun gaining accessibility service privileges|date=18 November 2015|publisher=|via=YouTube}}</ref><ref>{{cite web|url=http://www.heise.de/security/meldung/Android-Malware-Werbeterror-wie-von-Geisterhand-3009688.html|title=Android-Malware: Werbeterror wie von Geisterhand|author=Dennis Schirrmacher|date=20 November 2015|work=Security}}</ref><ref>{{cite web|url=http://www.trojaner-info.de/news2/der-adware-trojaner-shedun.html|title=Der Adware – Trojaner Shedun|date=6 December 2015|work=trojaner-info.de}}</ref> as well as for downloading and installing arbitrary applications<ref>{{cite web|url=http://thehackernews.com/2015/11/android-malware-auto-install.html|title=This Malware Can Secretly Auto-Install any Android App to Your Phone|author=Swati Khandelwal|date=20 November 2015|work=The Hacker News}}</ref> (usually adware) without permission,<ref name="manishsingh"/> it is classified as "aggressive adware" for installing [[potentially unwanted program]] <ref>{{cite web|url=http://www.areamobile.de/news/35337-trojaner-adware-installiert-selbststaendig-ungewollte-android-apps|title=Trojaner-Adware installiert selbstständig ungewollte Android-Apps|website=Areamobile.de|accessdate=2016-04-20}}</ref><ref>{{cite web|url=http://androidmag.de/news/technik-news/shedun-neue-android-adware-installiert-apps-ohne-deine-einwilligung/|title=Shedun: Neue Android-Adware installiert Apps ohne deine Einwilligung|work=Androidmag}}</ref><ref>{{cite web|url=http://winfuture.de/news,89953.html|title=Installation auch nach Ablehnung: Neue dreiste Android-Adware|author=John Woll|publisher=}}</ref> applications and serving ads.<ref>{{cite web|url=http://en.yibada.com/articles/90437/20151201/android-shedun-malware.htm|title=Android Shedun Malware: New Malware That Can Grant Access to Your Phone; Malware Impossible To Be Removed?|work=Yibada}}</ref>
Shedun malware is known for targeting the Android Accessibility Service,<ref name="securityweek.com"/><ref name="theregister.co.uk"/><ref>{{cite web|url=http://www.theinquirer.net/inquirer/news/2435721/shedun-trojan-adware-is-hitting-the-android-accessibility-service|archive-url=https://web.archive.org/web/20151120210103/http://www.theinquirer.net/inquirer/news/2435721/shedun-trojan-adware-is-hitting-the-android-accessibility-service|url-status=unfit|archive-date=20 November 2015|title=Shedun trojan adware is hitting the Android Accessibility Service|website=Theinquirer.net|accessdate=2016-04-20}}</ref><ref>{{cite web|url=http://securityaffairs.co/wordpress/42164/malware/shedun-trojanized-adware.html|title=Shedun adware can install any malicious mobile appSecurity Affairs|work=Security Affairs|date=22 November 2015}}</ref><ref>{{cite AV media|url=https://www.youtube.com/watch?v=VDWmEUm6mQM|title=Shedun gaining accessibility service privileges|date=18 November 2015|publisher=|via=YouTube}}</ref><ref>{{cite web|url=http://www.heise.de/security/meldung/Android-Malware-Werbeterror-wie-von-Geisterhand-3009688.html|title=Android-Malware: Werbeterror wie von Geisterhand|author=Dennis Schirrmacher|date=20 November 2015|work=Security}}</ref><ref>{{cite web|url=http://www.trojaner-info.de/news2/der-adware-trojaner-shedun.html|title=Der Adware – Trojaner Shedun|date=6 December 2015|work=trojaner-info.de}}</ref> as well as for downloading and installing arbitrary applications<ref>{{cite web|url=http://thehackernews.com/2015/11/android-malware-auto-install.html|title=This Malware Can Secretly Auto-Install any Android App to Your Phone|author=Swati Khandelwal|date=20 November 2015|work=The Hacker News}}</ref> (usually [[adware]]) without permission.<ref name="manishsingh"/> It is classified as "aggressive adware" for installing [[potentially unwanted program]]<ref>{{cite web|url=http://www.areamobile.de/news/35337-trojaner-adware-installiert-selbststaendig-ungewollte-android-apps|title=Trojaner-Adware installiert selbstständig ungewollte Android-Apps|website=Areamobile.de|accessdate=2016-04-20}}</ref><ref>{{cite web|url=http://androidmag.de/news/technik-news/shedun-neue-android-adware-installiert-apps-ohne-deine-einwilligung/|title=Shedun: Neue Android-Adware installiert Apps ohne deine Einwilligung|work=Androidmag|date=25 November 2015}}</ref><ref>{{cite web|url=http://winfuture.de/news,89953.html|title=Installation auch nach Ablehnung: Neue dreiste Android-Adware|author=John Woll|date=23 November 2015|publisher=}}</ref> applications and serving ads.<ref>{{cite web|url=http://en.yibada.com/articles/90437/20151201/android-shedun-malware.htm|title=Android Shedun Malware: New Malware That Can Grant Access to Your Phone; Malware Impossible To Be Removed?|work=Yibada}}</ref>


As of April 2016, Shedun malware is, by most security researchers, considered to be next to impossible to remove entirely.<ref>{{cite web|url=http://www.noz.de/deutschland-welt/gut-zu-wissen/artikel/635820/gefahrliche-android-schadsoftware-oft-hilft-nur-neues-gerat-1 |title=Gefährliche Android-Schadsoftware: Oft hilft nur neues Gerät |website=Noz.de |accessdate=2016-04-20}}</ref><ref>{{cite news|url=http://www.theinquirer.net/inquirer/news/2435721/shedun-trojan-adware-is-hitting-the-android-accessibility-service |title=Shedun trojan adware is hitting the Android Accessibility Service |newspaper=[[The Inquirer]] |date=2015-11-20 |accessdate=2016-04-10}}</ref><ref>{{cite web|url=https://blog.lookout.com/blog/2015/11/04/trojanized-adware/ |title=Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire &#124; Lookout Blog |website=Blog.lookout.com |date=2015-11-04 |accessdate=2016-04-10}}</ref><ref>{{cite web|url=http://betanews.com/2015/11/05/shuanet-shiftybug-and-shedun-malware-could-auto-root-your-android/ |title=Shuanet, ShiftyBug and Shedun malware could auto-root your Android |website=Betanews.com |date= |accessdate=2016-04-10}}</ref><ref>{{cite web|url=http://www.techtimes.com/articles/104373/20151109/new-family-of-android-malware-virtually-impossible-to-remove-say-hello-to-shedun-shuanet-and-shiftybug.htm |title=New Family Of Android Malware Virtually Impossible To Remove: Say Hello To Shedun, Shuanet And ShiftyBug : PERSONAL TECH |publisher=Tech Times |date= |accessdate=2016-04-10}}</ref><ref>{{cite web|last=Goodin |first=Dan |url=http://arstechnica.com/security/2015/11/android-adware-can-install-itself-even-when-users-explicitly-reject-it/ |title=Android adware can install itself even when users explicitly reject it |publisher=Ars Technica |date=2015-11-19 |accessdate=2016-04-10}}</ref>
As of April 2016, Shedun malware is considered by most security researchers to be next to impossible to entirely remove.<ref>{{cite web|url=http://www.noz.de/deutschland-welt/gut-zu-wissen/artikel/635820/gefahrliche-android-schadsoftware-oft-hilft-nur-neues-gerat-1 |title=Gefährliche Android-Schadsoftware: Oft hilft nur neues Gerät |website=Noz.de |date=9 November 2015 |accessdate=2016-04-20}}</ref><ref>{{cite news|url=http://www.theinquirer.net/inquirer/news/2435721/shedun-trojan-adware-is-hitting-the-android-accessibility-service |archive-url=https://web.archive.org/web/20151120210103/http://www.theinquirer.net/inquirer/news/2435721/shedun-trojan-adware-is-hitting-the-android-accessibility-service |url-status=unfit |archive-date=20 November 2015 |title=Shedun trojan adware is hitting the Android Accessibility Service |newspaper=[[The Inquirer]] |date=2015-11-20 |accessdate=2016-04-10}}</ref><ref>{{cite web |url=https://blog.lookout.com/blog/2015/11/04/trojanized-adware/ |title=Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire &#124; Lookout Blog |website=Blog.lookout.com |date=2015-11-04 |accessdate=2016-04-10 |archive-date=19 February 2017 |archive-url=https://web.archive.org/web/20170219042903/https://blog.lookout.com/blog/2015/11/04/trojanized-adware/ |url-status=dead }}</ref><ref>{{cite web|url=http://betanews.com/2015/11/05/shuanet-shiftybug-and-shedun-malware-could-auto-root-your-android/ |title=Shuanet, ShiftyBug and Shedun malware could auto-root your Android |website=Betanews.com |date= 5 November 2015|accessdate=2016-04-10}}</ref><ref>{{cite web|url=http://www.techtimes.com/articles/104373/20151109/new-family-of-android-malware-virtually-impossible-to-remove-say-hello-to-shedun-shuanet-and-shiftybug.htm |title=New Family Of Android Malware Virtually Impossible To Remove: Say Hello To Shedun, Shuanet And ShiftyBug : PERSONAL TECH |publisher=Tech Times |date= 9 November 2015|accessdate=2016-04-10}}</ref><ref>{{cite web|last=Goodin |first=Dan |url=https://arstechnica.com/security/2015/11/android-adware-can-install-itself-even-when-users-explicitly-reject-it/ |title=Android adware can install itself even when users explicitly reject it |publisher=Ars Technica |date=2015-11-19 |accessdate=2016-04-10}}</ref>


[[Avira]] Security researcher Pavel Ponomariov, specialized in Android malware detection tools, mobile threats detection and mobile malware detection automation research,<ref>{{cite web|url=http://blog.avira.com/author/pavel-ponomariov/|title=Pavel Ponomariov - Avira Blog|work=Avira Blog}}</ref> has published an in-depth analysis of the computer virus.<ref name="avira.com"/>
[[Avira]] Security researcher Pavel Ponomariov, who specializes in Android malware detection tools, mobile threat detection, and mobile malware detection automation research,<ref>{{cite web|url=http://blog.avira.com/author/pavel-ponomariov/|title=Pavel Ponomariov - Avira Blog|work=Avira Blog|access-date=18 April 2016|archive-date=20 April 2016|archive-url=https://web.archive.org/web/20160420035150/http://blog.avira.com/author/pavel-ponomariov/|url-status=dead}}</ref> has published an in-depth analysis of this malware.<ref name="avira.com"/>

The countries most infected by this virus were in Asia including China, India, Philippines, Indonesia and Turkey.<ref>{{cite web |last1=Schwartz |first1=Mathew J. |title=Android Trojanized Adware 'Shedun' Infections Surge |url=https://www.bankinfosecurity.com/android-trojanized-adware-shedun-infections-surge-a-9249 |website=bankinfosecurity.com |language=en}}</ref>


==See also==
==See also==
Line 35: Line 37:
{{Use dmy dates|date=August 2016}}
{{Use dmy dates|date=August 2016}}


[[Category:Malware]]
[[Category:Software distribution]]
[[Category:Software distribution]]
[[Category:Mobile malware]]
[[Category:Trojan horses]]
[[Category:Trojan horses]]
[[Category:Social engineering (computer security)]] <!-- due to accessibility service use -->
[[Category:Social engineering (security)]] <!-- due to accessibility service use -->
[[Category:Rootkits]]
[[Category:Rootkits]]
[[Category:Privilege escalation exploits]]
[[Category:Privilege escalation exploits]]
[[Category:Adware]]
[[Category:Adware]]
[[Category:Online advertising]]
[[Category:Online advertising]]
[[Category:Android malware]]
[[Category:Android (operating system) malware]]
[[Category:Mobile security]]
[[Category:Mobile security]]
[[Category:Android (operating system) software]]

[[Category:Spyware]]
[[Category:Spyware]]
[[Category:Privacy]]
[[Category:Privacy]]
[[Category:Cybercrime in India]]

Latest revision as of 20:50, 28 December 2024

Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet[1][2][3]) targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000[4] popular Android applications.[3][5][6][7][8] Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.[9][10]

Avira Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day.[11] All three variants of the virus are known to share roughly ~80% of the same source code.[12][13]

In mid 2016, arstechnica reported that approximately 10.000.000 devices would be infected by this malware[14] and that new infections would still be surging.[15][16]

The malware's primary attack vector is repackaging legitimate Android applications (e.g. Facebook, Twitter, WhatsApp, Candy Crush, Google Now, Snapchat[17])[4][18][19] with adware included. The app which remains functional is then released to a third party app store;[20] once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation[19]), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to root affected devices and re-flash a custom ROM.[21][22]

In addition, Shedun-type malware has been detected pre-installed on 26 different types[23] of Chinese Android-based hardware such as Smartphones and Tablet computers.[24][25][26][27][28][29][30][31][32][33][34][35][36]

Shedun-family malware is known for auto-rooting the Android OS[18][37] using well-known exploits like ExynosAbuse, Memexploit and Framaroot[38] (causing a potential privilege escalation[19][39][40])[41] and for serving trojanized adware and installing themselves within the system partition of the operating system, so that not even a factory reset can remove the malware from infected devices.[42][43]

Shedun malware is known for targeting the Android Accessibility Service,[2][42][44][45][46][47][48] as well as for downloading and installing arbitrary applications[49] (usually adware) without permission.[3] It is classified as "aggressive adware" for installing potentially unwanted program[50][51][52] applications and serving ads.[53]

As of April 2016, Shedun malware is considered by most security researchers to be next to impossible to entirely remove.[54][55][56][57][58][59]

Avira Security researcher Pavel Ponomariov, who specializes in Android malware detection tools, mobile threat detection, and mobile malware detection automation research,[60] has published an in-depth analysis of this malware.[11]

The countries most infected by this virus were in Asia including China, India, Philippines, Indonesia and Turkey.[61]

See also

[edit]

References

[edit]
  1. ^ by @HackTheW0r1d (5 November 2015). "Shuanet, ShiftyBug and Shedun malware could auto-root your Android – HackBails". Hackbails.wordpress.com. Retrieved 2 October 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)
  2. ^ a b "Android Adware Abuses Accessibility Service to Install Apps". SecurityWeek.com. 20 November 2015. Retrieved 20 April 2016.
  3. ^ a b c Manish Singh (23 November 2015). "New Android Adware Can Download, Install Apps Without Permission: Report". NDTV Gadgets360.com.
  4. ^ a b "Three new malware strains infect 20k apps, impossible to wipe, only affect Android". AppleInsider Forums. 5 November 2015.
  5. ^ Eran, Daniel (5 November 2015). "Three new malware strains infect 20k apps, impossible to wipe, only affect Android". Appleinsider.com. Retrieved 2 October 2016.
  6. ^ "Android Malware On The Loose: Shuanet, ShiftyBug And Shedun Signatures Found On 20,000 Apps Outside Google Play Store". Droid Report.
  7. ^ "Shedun Trojan goes solo". Darkmatters. Archived from the original on 8 April 2016. Retrieved 18 April 2016.
  8. ^ "Popular Mobile Apps Repackaged with Trojans". Lavasoft. 4 November 2015. Retrieved 2 October 2016.
  9. ^ "Another month, another new rooting malware family for Android". blog.elevenpaths.com. Archived from the original on 10 October 2016. Retrieved 9 October 2016.
  10. ^ "DIY Attribution, Classification, and In-depth Analysis of Mobile Malware". Check Point Blog. 11 July 2016. Retrieved 9 October 2016.
  11. ^ a b "Shedun: adware/malware family threatening your Android device". Avira Blog. 3 September 2015.
  12. ^ "Neue Welle von Android-Malware lässt sich kaum mehr entfernen". Elektronikpraxis.vogel.de. Archived from the original on 15 February 2017. Retrieved 20 April 2016.
  13. ^ PMK Presse, Messe & Kongresse Verlags GmbH. "Gemeinsamkeiten: Shuanet, Shedun & ShiftyBug". Itseccity.de. Retrieved 20 April 2016.
  14. ^ Dan Goodin - Jul 7, 2016 5:50 pm UTC (7 July 2016). "10 million Android phones infected by all-powerful auto-rooting apps". Ars Technica. Retrieved 2 October 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)
  15. ^ "Android Trojanized Adware 'Shedun' Infections Surge". Bankinfosecurity.com. 8 July 2016. Retrieved 2 October 2016.
  16. ^ "Android Trojanized Adware 'Shedun' Infections Surge". www.linkedin.com.
  17. ^ "Android-Malware: Adware war gestern. Android-Trojaner auf dem Vormarsch". botfrei Blog. 9 November 2015.
  18. ^ a b "New type of auto-rooting Android adware is nearly impossible to remove". Ars Technica. 4 November 2015.
  19. ^ a b c Michael Mimoso (4 November 2015). "Shuanet Adware Roots Android Devices - Threatpost - The first stop for security news". Threatpost - The first stop for security news.
  20. ^ "Adware Shedun nistet sich gegen den Willen der Nutzer in Android ein". ITespresso.de. 23 November 2015.
  21. ^ "Android Trojan Software Morphs Into Real Apps, Nearly Impossible To Remove From Device's System: Report". Yibada.
  22. ^ "Android-Malware: Neue Schadsoftware rootet Geräte und ist kaum zu entfernen - Golem.de".
  23. ^ Swati Khandelwal (3 September 2015). "26 Android Phone Models Shipped with Pre-Installed Spyware". The Hacker News.
  24. ^ "G Data : Mobile Malware Report" (PDF). Public.gdatasoftware.com. Archived from the original (PDF) on 15 February 2017. Retrieved 20 April 2016.
  25. ^ Catalin Cimpanu (4 September 2015). "24 Chinese Android Smartphone Models Come with Pre-Installed Malware". softpedia.
  26. ^ David Gilbert (12 November 2015). "Amazon Selling $40 Android Tablets That Come With Pre-Installed Malware". International Business Times.
  27. ^ "Chinese smartphones infected with pre-installed malwareSecurity Affairs". Security Affairs. 2 September 2015.
  28. ^ "Chinese Android smartphones now shipping with pre-installed malware". SC Magazine. Archived from the original on 7 May 2016. Retrieved 18 April 2016.
  29. ^ Diane Samson. "Malware Found Pre-Installed on Xiaomi, Huawei, Lenovo Phones". iDigitalTimes.com. Archived from the original on 23 August 2016. Retrieved 18 April 2016.
  30. ^ "Amazon's $40 Chinese Android Tablets Infected With Pre-Installed Malware". Design & Trend. Archived from the original on 15 February 2017. Retrieved 18 April 2016.
  31. ^ Jeremy Kirk (5 March 2014). "Pre-installed malware found on new Android phones". Computerworld.
  32. ^ "G Data : Mobile Malware Report" (PDF). Public.gdatasoftware.com. Archived from the original (PDF) on 10 March 2016. Retrieved 20 April 2016.
  33. ^ Waqas (14 November 2015). "Amazon Store, a safe haven for Android Tablets with pre-installed malware". HackRead.
  34. ^ "Pre-Installed Android Malware Raises Security Risks in Supply Chain". October 2021.
  35. ^ "Some Android Phones Come With Malware Pre-Installed: Report". The Huffington Post. Archived from the original on 30 May 2016. Retrieved 18 April 2016.
  36. ^ "Brand New Android Smartphones Coming with Spyware and Malware". WCCFtech. 4 September 2015.
  37. ^ "Trojan adware on Android can give itself root access". The Tech Report. 5 November 2015.
  38. ^ "Shedun, Shuanet und Shiftybug: Android-Smartphone vor Malware schützen".
  39. ^ "Android-Nutzer: Achtung vor Trojaner-Adware Shedun - Check & Secure -". - Check & Secure -.
  40. ^ "New Android adware tries to root your phone so you can't remove it". ExtremeTech. 5 November 2015.
  41. ^ "More than 20,000 apps auto-root Android devices". SC Magazine UK. 30 January 2022.
  42. ^ a b "Android's accessibility service grants god-mode p0wn power". The Register.
  43. ^ "Trojanized adware family abuses accessibility service to install whatever apps it wants | Lookout Blog". Blog.lookout.com. 19 November 2015. Retrieved 10 April 2016.
  44. ^ "Shedun trojan adware is hitting the Android Accessibility Service". Theinquirer.net. Archived from the original on 20 November 2015. Retrieved 20 April 2016.
  45. ^ "Shedun adware can install any malicious mobile appSecurity Affairs". Security Affairs. 22 November 2015.
  46. ^ Shedun gaining accessibility service privileges. 18 November 2015 – via YouTube.
  47. ^ Dennis Schirrmacher (20 November 2015). "Android-Malware: Werbeterror wie von Geisterhand". Security.
  48. ^ "Der Adware – Trojaner Shedun". trojaner-info.de. 6 December 2015.
  49. ^ Swati Khandelwal (20 November 2015). "This Malware Can Secretly Auto-Install any Android App to Your Phone". The Hacker News.
  50. ^ "Trojaner-Adware installiert selbstständig ungewollte Android-Apps". Areamobile.de. Retrieved 20 April 2016.
  51. ^ "Shedun: Neue Android-Adware installiert Apps ohne deine Einwilligung". Androidmag. 25 November 2015.
  52. ^ John Woll (23 November 2015). "Installation auch nach Ablehnung: Neue dreiste Android-Adware".
  53. ^ "Android Shedun Malware: New Malware That Can Grant Access to Your Phone; Malware Impossible To Be Removed?". Yibada.
  54. ^ "Gefährliche Android-Schadsoftware: Oft hilft nur neues Gerät". Noz.de. 9 November 2015. Retrieved 20 April 2016.
  55. ^ "Shedun trojan adware is hitting the Android Accessibility Service". The Inquirer. 20 November 2015. Archived from the original on 20 November 2015. Retrieved 10 April 2016.
  56. ^ "Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire | Lookout Blog". Blog.lookout.com. 4 November 2015. Archived from the original on 19 February 2017. Retrieved 10 April 2016.
  57. ^ "Shuanet, ShiftyBug and Shedun malware could auto-root your Android". Betanews.com. 5 November 2015. Retrieved 10 April 2016.
  58. ^ "New Family Of Android Malware Virtually Impossible To Remove: Say Hello To Shedun, Shuanet And ShiftyBug : PERSONAL TECH". Tech Times. 9 November 2015. Retrieved 10 April 2016.
  59. ^ Goodin, Dan (19 November 2015). "Android adware can install itself even when users explicitly reject it". Ars Technica. Retrieved 10 April 2016.
  60. ^ "Pavel Ponomariov - Avira Blog". Avira Blog. Archived from the original on 20 April 2016. Retrieved 18 April 2016.
  61. ^ Schwartz, Mathew J. "Android Trojanized Adware 'Shedun' Infections Surge". bankinfosecurity.com.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Shedun&oldid=1265819970"