Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet [1] [2] [3]) targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 [4] popular Android applications. [3] [5] [6] [7] [8] Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted. [9] [10]
Avira Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day. [11] All three variants of the virus are known to share roughly ~80% of the same source code. [12] [13]
In mid 2016, arstechnica reported that approximately 10.000.000 devices would be infected by this malware [14] and that new infections would still be surging. [15] [16]
The malware's primary attack vector is repackaging legitimate Android applications (e.g. Facebook, Twitter, WhatsApp, Candy Crush, Google Now, Snapchat [17]) [4] [18] [19] with adware included. The app which remains functional is then released to a third party app store; [20] once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation [19]), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to root affected devices and re-flash a custom ROM. [21] [22]
In addition, Shedun-type malware has been detected pre-installed on 26 different types [23] of Chinese Android-based hardware such as Smartphones and Tablet computers. [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36]
Shedun-family malware is known for auto- rooting the Android OS [18] [37] using well-known exploits like ExynosAbuse, Memexploit and Framaroot [38] (causing a potential privilege escalation [19] [39] [40]) [41] and for serving trojanized adware and installing themselves within the system partition of the operating system, so that not even a factory reset can remove the malware from infected devices. [42] [43]
Shedun malware is known for targeting the Android Accessibility Service, [2] [42] [44] [45] [46] [47] [48] as well as for downloading and installing arbitrary applications [49] (usually adware) without permission. [3] It is classified as "aggressive adware" for installing potentially unwanted program [50] [51] [52] applications and serving ads. [53]
As of April 2016, Shedun malware is considered by most security researchers to be next to impossible to entirely remove. [54] [55] [56] [57] [58] [59]
Avira Security researcher Pavel Ponomariov, who specializes in Android malware detection tools, mobile threat detection, and mobile malware detection automation research, [60] has published an in-depth analysis of this malware. [11]
The countries most infected by this virus were in Asia including China, India, Philippines, Indonesia and Turkey. [61]
{{
cite web}}
: CS1 maint: numeric names: authors list (
link)
{{
cite web}}
: CS1 maint: numeric names: authors list (
link)
{{
cite web}}
: CS1 maint: unfit URL (
link)
{{
cite news}}
: CS1 maint: unfit URL (
link)
Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet [1] [2] [3]) targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 [4] popular Android applications. [3] [5] [6] [7] [8] Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted. [9] [10]
Avira Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day. [11] All three variants of the virus are known to share roughly ~80% of the same source code. [12] [13]
In mid 2016, arstechnica reported that approximately 10.000.000 devices would be infected by this malware [14] and that new infections would still be surging. [15] [16]
The malware's primary attack vector is repackaging legitimate Android applications (e.g. Facebook, Twitter, WhatsApp, Candy Crush, Google Now, Snapchat [17]) [4] [18] [19] with adware included. The app which remains functional is then released to a third party app store; [20] once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation [19]), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to root affected devices and re-flash a custom ROM. [21] [22]
In addition, Shedun-type malware has been detected pre-installed on 26 different types [23] of Chinese Android-based hardware such as Smartphones and Tablet computers. [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36]
Shedun-family malware is known for auto- rooting the Android OS [18] [37] using well-known exploits like ExynosAbuse, Memexploit and Framaroot [38] (causing a potential privilege escalation [19] [39] [40]) [41] and for serving trojanized adware and installing themselves within the system partition of the operating system, so that not even a factory reset can remove the malware from infected devices. [42] [43]
Shedun malware is known for targeting the Android Accessibility Service, [2] [42] [44] [45] [46] [47] [48] as well as for downloading and installing arbitrary applications [49] (usually adware) without permission. [3] It is classified as "aggressive adware" for installing potentially unwanted program [50] [51] [52] applications and serving ads. [53]
As of April 2016, Shedun malware is considered by most security researchers to be next to impossible to entirely remove. [54] [55] [56] [57] [58] [59]
Avira Security researcher Pavel Ponomariov, who specializes in Android malware detection tools, mobile threat detection, and mobile malware detection automation research, [60] has published an in-depth analysis of this malware. [11]
The countries most infected by this virus were in Asia including China, India, Philippines, Indonesia and Turkey. [61]
{{
cite web}}
: CS1 maint: numeric names: authors list (
link)
{{
cite web}}
: CS1 maint: numeric names: authors list (
link)
{{
cite web}}
: CS1 maint: unfit URL (
link)
{{
cite news}}
: CS1 maint: unfit URL (
link)