Auto-rooting adware attacks on Android ecosystem

People ‘root’ their smartphones for many reasons, most commonly in order to have as much control over the device as possible. Now malware is getting in on the act, with Trojanised, auto-rooting adware attacks on Android phones, which installs itself as a system app that can survive a factory reset. IT Security Thing investigates. Predictive security specialist Lookout, which uses ‘machine intelligence’ to predict zero day attacks, has spotted a large number of auto-rooting adware infected apps in the wild. So far it has detected more than 20,000 samples in apparently legitimate, and hugely popular, applications such as Candy Crush, Facebook, Google Now, Okta 2FA, Snapchat, Twitter and WhatsApp. Before you start worrying too much, the apps themselves may appear totally legitimate but they have been repackaged by the threat actors and the malicious code squirted into them. They all appear perfectly normal from the user perspective, functionality is not impacted at all and the malware remains well hidden. This, in and of itself, is unusual. Most commonly this type of app-cloning malware only actually goes as far as cloning the name and the executable icon; when it is clicked upon it then installs the malicious payload but without the original app doing anything. If that sounds like even more reason to panic, you can still relax unless you are in the habit of downloading your apps from outside of the official Google Play app store.