Security researchers have discovered a new type of Android malware that inserts adware into 20,000 commonly-used apps, like Facebook, Candy Crush Saga, Twitter, WhatsApp and Snapchat, then releases this new fake version of the app to be downloaded from alternative third-party app stores.
The fake version of the app works just like the original, and once it is downloaded to a user's smartphone, the adware then quietly embeds itself into the smartphone's Android operating system and aggressively serves ads on the phone in order to make money for the malware's creators.
According to mobile security firm Lookout Security, there is no way to remove the adware, even if the smartphone is reset to its factory settings, so all users can do is to replace their device completely.
Stop using alternative Android app stores
The researchers say that three different types of "trojanised adware" known as Shuanet, Kemoge and Shudun have together carried out a dedicated malware campaign infecting over 20,000 apps to repackage them, and the fake apps are then released on alternative Android app stores, but not over Google Play.
The hackers have apparently even been able to insert adware into the Okta two-factor authentication enterprise security app, but unusually, the hackers don't seem to want to get into the app to harvest users' details – they just want to earn money by serving smartphone users as many annoying ads as possible.
It appears that the malware has been programmed to simply go after all popular apps in the Google Play app store and then insert adware into them, but to stay away from all antivirus apps, to avoid alerting cyber-security firms that might detect the campaign.
While the fake apps have been detected on compromised smartphone users in the US, Germany, Russia, Mexico, Jamaica, Brazil, Iran, Sudan, India and Indonesia, it seems that the best way to prevent your device from being infected is to only use Google Play and avoid all alternative Android app stores.
But for app developers, this news is surely a wake-up call to sit up and check your app to see if it is being repackaged on alternative Android app stores, and to warn your users about this problem, as if it earns hackers money, they will keep making malware like this.
App developers beware: this could get worse
"Legitimate application developers are often unjustly blamed for the malicious actions of malware that repackaged their applications. In reality, both the user and the app developer here are victims of malware," the researchers write in a blog post.
"We expect this class of trojanised adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities.
"While historically, adware hoped to convince the user to install new applications by showing banners and annoying pop-ups, now it can install these third party apps without user consent. In this way it can heavily capitalise on the Cost-Per-Install paid out by web marketing companies. Unfortunately, should the revenue model change on clicks-per-install and ads, this may lead to malware authors using this privilege escalation for new monetisation strategies."