Lookout, a cybersecurity company focused on mobile technology, reports that three new families of adware have been infecting users by hiding inside popular apps. The applications used to mask the adware include titles such as Candy Crush, Facebook, NYTimes, and WhatsApp. This new form of adware is particularly malicious, going beyond its typical functions of injecting ads in websites and annoying users with pop ups, gaining root access into the user’s smartphone. Root access allows the owners of the malicious program to access sensitive parts of a mobile device without being detected and to potentially install additional programs. Furthermore, most of the apps hiding this malware still function as they were intended to while the rootkit runs in the background. 

Lookout detected over 20,000 samples of this type of adware being distributed throughout third-party app stores. The countries affected include the United States, Germany, Russia, India, and Mexico. These three families of adware trojans, Shuanet, ShiftyBug, and Shedun, are particularly malicious as “the malware roots the device automatically after the user installs it, embeds itself as a system application, and becomes nearly impossible to remove.” A user would either have to consult a mobile security specialist or purchase a brand new phone if they became infected. Developers are also negatively impacted as trojans which hide inside their apps negatively affect their reputation.

As stated in the report, “While historically, adware hoped to convince the user to install new applications by showing banners and annoying pop ups, now it can install these third party apps without user consent. In this way it can heavily capitalize on the Cost Per Install paid out by web marketing companies.” The popularity of mobile applications and the evolution of online marketing has lead to the development of mobile adware with increasingly malicious properties. We’ll probably be hearing more about Shuanet, ShiftyBug, and Shedun in the months to come.