Android has taken quite a beating lately on the security front. In part, that's due to a perfect storm consisting of a large user base, slow software and security updates, and the ability to sideload untrusted apps that could potentially steal data or crash the phone. Against that backdrop, antivirus maker Lookout has posted a warning about a wave of novel malware with a nasty side effect: giving itself root privileges.
The attack vector is pretty straightforward. An attacker downloads a popular app like Facebook or WhatsApp from the Google Play store and then injects it with one or more root exploits. The trojan app then gets uploaded to a third-party repository. When a user downloads and installs the infected app, the root exploit payload works in the background, attempting to gain root access on the infected device.
So far, Lookout has found three distinct forms of this kind of attack, named ShiftyBug, Shuanet, and Shedun (also known as GhostPush). The root exploits they use are often the same ones found in popular root-enabling software packages, like ExynosAbuse and Framaroot.
Lookout says users may never know the cause of any issues they might have after their devices are infected, because the infected app seems to work correctly most of the time. Even worse, in some cases, the app can write itself to protected system storage, meaning that not even wiping the phone's user-accessible storage can remove the payload. That means infected phones could potentially have to be replaced entirely.
The best way to stay safe seems to be sticking to official distribution channels. While official app stores can have their own security problems, they're no doubt safer than using third-party sites relying on user—rather than developer—submissions.