Lookout: New, sneaky Android adware tries to root phones

Martin Brinkmann
Nov 6, 2015
Google Android

Android is without doubt the most popular mobile operating system out there. While other mobile systems may be more popular in certain regions, it is Android that is dominating most markets.

Security firm Lookout discovered a new form of Android adware recently that goes through great length to make sure it stays on the device it has infected.

The adware comes in form of re-packaged applications that Android users download from third-party stores or other sources that offer Android apk files.

The distribution method has been used before to deploy adware or malicious software on devices, but this type of adware does more than just throw a handful of popup ads in the user's face every now and then.

It ships with rooting functions, and if successful in rooting the device, will move the app to the system partition.

Since the system partition is unaffected by factory resets, the adware will persist on the device making it even harder, some would say nearly impossible, for end-users to remove it from their system.

Lookout stated that it discovered the adware, dubbed Shuanet, in more than 20,000 popular re-packaged applications including Facebook, Candy Crush, New York Times, Snapchat, Twitter or Whatsapp.

android root malware

These apps function normal for the most part, and the only indicator that something is not right is the occasional ad popup they display on the device.

This is one of the few indicators users get on their device that something is wrong.

Good news, and that is just cold comfort, is that the malicious code is only designed to display adware on the user's device.

It is at least in theory possible however that different versions of the code will do more than that, for instance steal user data, install additional applications or remote-control the device.

The rooting exploits on the other hand are not new. In fact, they have been patched in newer versions of Android making devices only vulnerable to Shuanet's root attack if it has not received patches. This can be the case if the manufacturer of the device is not offering them, or if the owner of the device has not installed them on it.

There is another barrier to getting infected. These repackaged applications are not available on Google Play, and like also not on other major application stores.

They are provided as direct apk downloads or in stores that don't verify ownership or other factors before applications are added to it.

Direct apk downloads or third-party application stores are quite popular for a number of reasons. First, for phones and tablets that don't ship with Google Play but another application store that may not have certain apps in its inventory.

Then, because of the "dreaded" roll-outs of new apps that Google favors these days. Updates and new applications are not made available to all users at the same time. Instead, they are rolled out gradually which means that some users may have to wait weeks or even months before they get the update or an option to install the app on their device.

It is unclear right now if security applications detect the Shuanet adware. Lookout, the firm that discovered the new strain of adware, has its own Android security application called Lookout for Android.

Now You: Do you download apk files directly sometimes?

Lookout: New, sneaky Android adware tries to root phones
Article Name
Lookout: New, sneaky Android adware tries to root phones
Security firm Lookout detected a new strain of Android adware that tries to root phones it is installed on to move itself to the device's system partition.

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Karl said on November 7, 2015 at 8:27 pm

    What if the bootloader is locked?

  2. xfdelfa said on November 7, 2015 at 7:13 am

    >> Do you download apk files directly sometimes?

    Yes, because google play store shows connection time out. I use 2G. Directly downloading apk with resume support, I do with UC browser. Google should give up some option in play store like do not download icons and screenshot when in 2G.

  3. Wayfarer said on November 7, 2015 at 2:53 am

    IMHO – depending on your definition of malware – all Android devices are ‘infected’ when you buy them. The crap you get pre-installed on these machines is beyond credence. Indeed, the problem seem worse on those devices that can least afford it – i.e. cheap tablets and phones with limited storage. And as for updates – that’s a sad joke with many devices on the market. Rooting sometimes provides a solution – but that isn’t always practical. That malware can now root devices that we can’t root ourselves might be a final insult.

    And all – again IMHO – easily sorted if manufacturers put their minds to it. But they’d much rather go on producing new more exciting devices (i.e. identical but thinner, as if that was ever important) than give real long term support to the gear they’ve already sold.

    The words ‘goose’ and ‘golden egg’ come constantly to mind.

  4. ilev said on November 6, 2015 at 11:39 am

    “Lookout stated that it discovered the adware, dubbed Shuanet..”

    Lookout discovered 3 adware/Trojans, by 3 developers, using the same exploits : Shuanet, ShiftyBug,Shedun

    The only way to get rid of these trojans is either to buy a new device or install a new ROM.

  5. Rocky said on November 6, 2015 at 10:39 am

    I am becoming a little disenchanted with Android – the fragmentation and risk of malware for me is a bog issue. aside from that my current Sony Xperia J is slow and too little memory . Actually thinking about a Windows phone as a replacement (iPhone is nice but very prices )

  6. Yuliya said on November 6, 2015 at 10:06 am

    Mobile phones have become so awful lately, mostly due to the fact that they are now target of the worst kind of business practices (from a user’s point of view), and the ads are just obscene. Telling me that the phone is “infected” and that I should download ssome kind of application to fix it (adware, most likely, or something that will try to convince me to purchase it, like “30 viruses found, pay to remove”).

    The ads in mobile browsers are the worst, to the point that they’re hijacking the browser, closing your tabs, opening a couple of new ones and actually showing you a popup which looks as if the phone generated it, asking you to install some kind of paid garbage to remove viruses and what not. Worst thing is that the said popup also makes makes the phone vibrate and has some annoying beeping sound, so the average user’s reaction would be to quickly make it stop doing that by clicking the first (and largest) button, which is OK.. sad, really. And this is the main reason why I think Firefox is NEEDEED on Android, not just a simple preference.

    “Do you download apk files directly sometimes?”
    Yeah, from sources that I actually trust, like it was the case with NetGuard. Good application, btw.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.