New Android adware reportedly “nearly impossible” to remove

by: John DyeNovember 6, 2015

360 Security review

Lookout has discovered a new form of adware that roots a device after the user installs it, then entrenches itself as a system application. This makes it impervious to any normal means of deleting it, even factory resetting the device.

This is a new, more sophisticated version of typical adware, which tends to make itself annoying by constantly pushing ads at the user. Since this form of malware has root access, it doesn’t need to annoy the reader, and most users probably won’t even know they’ve been infected. It’s effectively a family of trojan viruses.

Lookout discovered that this family of trojans hides inside legit apps like Candy Crush, Google Now, Facebook, NYTimes, Okta, Twitter, WhatsApp, Snapchat, and over 20,000 others. Infected versions of these applications are not available on the Google Play store and must be downloaded from third party stores. Since most instances of this malware leave the host app virtually unaltered, users may not notice the sneaky little culprit that snuck in on it.

Lookout reports that successfully embedded instances of this malware are “nearly impossible” to remove, and that the only solution for most users will be to purchase a new phone. Adware with this kind of power is obviously a security risk. Apps typically aren’t given access to files created by other applications, but root access bypasses this safeguard and could expose infected devices to fraud and identity theft.

Lookout has identified three different families of this form of trojan malware: Shuanet, Kemoge (or “ShiftyBug”), and GhostPush. These families have separate designers but share 77% of their code, meaning that even if those responsible for creating them are not working together, they are at the very least aware of each other. The highest rates of infection are in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.

So is this really that big of a deal though? While the situation might sound dire, in reality, the odds of being infected by such a trojan probably is pretty low. As already mentioned, these infected apps are found in 3rd party stores, so if you stick to official channels — you should have very little to worry about.

  • Charles Fair

    i dont think this is a problem for me my galaxy s5 is unrootable

    • Android Developer

      What do you mean? You can’t root it?

      • Lamp

        Certain carriers lock down the bootloader on their phones making it very hard to obtain root.

        • Mojo

          Now that’s cute, he thinks root is hard lol.

          • Android Developer

            I thought the bootloader can be hard, but root?

          • Brad Burbank

            I have a Verizon Note 3 on 5.0 that is unrootable.

          • Android Developer

            How odd.

          • mobilemann

            it’s pretty normal for ATT and Verizon devices. Thanks for commenting on stuff you don’t know about.

          • Android Developer

            I don’t understand your last sentence. I don’t live in the US, and so I don’t get why you guys have such restrictions.

          • Lamp

            AT&T and Verizon Note 4 hasn’t been rootable for a year now. Only temp root and that can only be done on 4.4.4

          • WhoaManWtF

            Can’t root Note 5 on Verizon or Att

    • Diego

      Its going to be even worst for you

  • Android Developer

    I’ve already warned that this could happen, seeing as how TowelRoot works, and requested to protect against such apps, by making root legit and protected:

    • mobilemann

      your request was denied :(

      • Android Developer

        I know. One can only hope. I’ve tried showing all the reasons for protecting against rooting and yet allow to do it built in (and also still make it harder for the common user).

      • Leslie Olson

        So far this year I have earned 69,000 dollars with my pc and I am a college time student . I am connectd with a business entity that outsource online jobs . I heard about it last year and I have made a great cash . It is just great and I am just so happy to have that option ……. Look here for details ….

  • Ghazali Hamzah

    but if you have rooted phone can’t you just delete it ? or change rom since its attached to system

  • Renascienza

    Just flash the stock ROM again and Bob is your uncle. Bye bye, system malware.

  • Hotbod Handsomeface

    What if I like my phone to pretend to be a NASCAR and have ads all over the place. Problem solved.

  • Scr-U-gle

    It is basically part if android, not really malware, not a Trojan but part of an ad sale by Google.

    It’s widespread and we already know hundreds of thousands of actual malware is re-uploaded daily to the official play store.

    Gotta laugh at Andoids non-existent security.

    • John Doe

      Android is an open source OS, that being said, Google does have pretty good security, it’s the 3rd party app stores that can cause users headaches. This is no different than an iPhone user going to a 3rd party app store and downloading the same type of unchecked apps.

      • Bur

        And just like windows. Gotta laugh at trolls not understanding tech and software.

        • mobilemann

          actually, John doe’s comment is about as wrong as scrugled. You are the guy not understanding the software. Sorry.

          • Scr-U-gle

            Everything I said is fact, is wrong? Hundreds of thousands are reloaded a day, Google have admitted it, the register reported it.

            You are also welcome to search with Bing and find the video of Eric Shit being laughed at by the worlds best internet security experts when he made ridiculous claims

            What is ‘wrong’ is you don’t know as much as you think you do.

      • Scr-U-gle

        So the hundreds of thousands of apps reloaded each day with malware, virus and Trojans you have to pretend don’t exist!

        Tell that to Googles CEO next time the worlds best security experts laugh in his face.

        Very funny.

        • KappaMaster Boy

          Shut up dmbo

          • mobilemann

            the irony is the android fanboys are about as clued in as the idiot troll.

          • Scr-U-gle

            Check out you, can’t even spell an insult. More than two words in a sentance must scramble your brain

        • John Doe

          If you get your apps from a non-google play store site the chance of getting a virus infected app is huge. The possibility of an app having a virus in the google play store is small (but not totally impossible) the same can be said for the apple eco-system as well ..
          You play with fire you are most likely going to get burn!

          • Scr-U-gle

            Google admit that over a hundred thousand are reloaded with a name change and are available daily to users.

            Just because you don’t understand doesn’t make it a fact.

          • John Doe

            And just because YOU state something does not mean that you are correct .. maybe an actual link to backup your statement would be a good idea .. No?

          • Scr-U-gle

            No, Google admit it, try again dipstick.

            I suggest you try Bing, and look at The Register.


          • John Doe

            And what phone do you use? Let me guess an iPhone?
            And Bing sucks as a search app .. dipshit!! lol

          • Scr-U-gle

            Enjoy the your walled garden search, androne.

            Still trying to change the subject when you make yourself look a fucking idiot.

          • John Doe

            What? Pegging you as an iPhone user is changing the subject? Touchie Touchie …
            Why else do you rant like a silly Troll when anything Google related comes up for comment?
            You are a useless Troll .. nothing more nothing less ..
            Maybe it’s time to find an Apple blog to feel more at home at ..

          • Scr-U-gle

            Still nothing to add to the conversation except bullshit, abuse and nonsense, if anyone is a troll it is you and your abusive posts.

            Well you have no answers to the fact that androne is insecure, can’t be updated beyond 18 months, and a cheap knock off.

            What a sad life you lead. Enjoy your iphoney for upto 18 months, if you are lucky it lasts that long.

          • Scr-U-gle

            Maybe you should try not having to repeat “do you want to go large” every five minutes.

            You will be less angry at the world and hating something you could never have.

            There are plenty of places you can go where they only allow androne comments that pretend nothing is wrong with your shitty knock off.

            By the way, my meal deal comes with fries, you don’t need to also ask if I want fries with it.

          • Scr-U-gle

            Where is your back-up?

            I suggest you use Bing to search The Register for the back up.

            What a dick you Andrones really are. So brainwashed you believe your own bullshit.

      • mobilemann

        “Android is an open source OS” no it’s not. A lot of it is, but GPS / the launcher / now / play store etc. all are closed. They are marginally more open in terms of source than iOS. (which releases darwin as a FOSS paltform)

        • John Doe

          No it’s not. A lot of it is .. ?? confused a little ? Dude it either is or it isn’t .. I say Yes, you say Maybe ..

          • mobilemann

            sorry kid, it’s more compilcated than that. Although if you needed an answer, “no”.

          • John Doe

            Kid? … I will take that as a compliment from you ..
            But, you need to do some reading on Android before you hurt yourself ..

            And there are literally hundreds of sources like this that say the very same thing!! Android IS Open source!!
            Kid … love it ..

          • mobilemann

            I know more about android than you know about your own extremities. AOSP is open source, Android, which include Google play services, a closed launcher, closed play store, closed google now, closed services and apps, ISN’T.

            unless you run pure AOSP, with only open source apps on it (no one does) you’re not running open source.

            I compiled an app for my iphone today, when was the last time you touched a IDE?

          • John Doe

            Whatever .. You believe what you believe, I will believe what the hundreds of others state .. your probably going to tell me that your iPhone is more Open Source than android ..
            Good luck to you .. Later

          • mobilemann

            it’s not. It’s quite a bit more closed, but they share a similar model, darwin the core of OS X and iOS is actually an opensource project that apple releases code to every year. Webkit which Android uses is a project forked by apple of KHTML.

            The real reason you won’t respond is you don’t know enough too, but hopefully this shows you, there’s more to anything than just “x is open y is closed”. Because that’s the actual truth.

            Go look it up kid use google as the search engine it is.

          • mobilemann

            and it’s not what i believe. it’s right vs wrong. Everything i’m telling you, you could easily verify, but you don’t care really, you’r ejust about justification of your product purchase.

            well, anyone who buys a smartphone but doesn’t really know how to use it, like yourself and what seems like most on this forum, are suckers.

    • patt

      didn’t you read that there was recently many bad apps uploaded to appstore on ios? they were also malicious.

      • Scr-U-gle

        And dealt with.

        Heartbleed is still an issue, and Stagefright is not going to be resolved on 99.9r% of android devices without buying a new handset with the latest software.

        Then you have the majority of these bedroom experts telling users that they shouldn’t worry about updates and they don’t need them.

        Android M updates are expected in 12 months for around a dozen handsets, across all OEMs.

        All five year old iOS devices are able to keep upto date on the day of release.

        The facts don’t lie, the producer of the software knows more than the user, users think they know more.

        The majority of IT staff don’t know jack.

        • KappaMaster Boy

          Okay bitch we understand if you enjoy overpriced crap aka iPhone then just shut up and go somewhere else. No need to embarrass yourself in front of the whole Android master race.

          • Scr-U-gle

            Master race? Oh so that is why Gov-gles board quote the Nazis in defence of their sharing your data with advertisers and the NSA.

            what is the price of the S6 compared to the iPhone? Average $100 more!

            Great way to show what a master race you are, being wrong at every point.

            Too fucking easy, NEXT!

          • Prasad

            When the truth hurts lets deny with “Icrap” overpriced etc…

          • KappaMaster Boy

            Lmao S6 100$ more than iPhone? Where do you live? The Apple Store? Stop lying to yourself and embrace the superiority of Android.

            And talking about Google selling your data, please tell me you don’t use the following websites/products: Facebook, Google search, Bing, Instagram, Windows 10, Phones, cell phones, emails, Chrome, Safari, or just De_INTERNET.

            Doesn’t matter what you use, the NSA knows it. So stop being a dumbass and use that “Google is selling your data bullshit”.

          • Prasad

            I’m not worried about NSA. I’m worried about my data which can be hacked by many apps on android.

            Yes. I stick to the point Google is selling our data without proper respect to the users. Remember Google forcing users to create G+ account even to comment or use youtube? and also clubbing data without giving option to users? They said either optin or close all google accounts which is not easy with gmail and they know it. I never supported Facebook either but they are better than Google as they never said tags like “dont be evil” etc crap.

            I know you dont care all these things because you love Google blindly or you hate Apple blindly.

            Yes when it launched S6 was 100$ more…now it is not even half the worth. Thats the reality and Sammy is ready with S7 in Feb to bring new sales…

          • KappaMaster Boy

            Idk about you but S6 was about 750$ when it launched and the iPhone 6 was still around 750$, and now the S6 is alot cheaper than the iPhone 6 (An older phone).

            But again, the “adware” that this article is talking about only exists in apps outside the official Google Play Store. It’s the same thing as if you download from a non-official apps store on the iPhone.

            Talking about Facebook, they’re not better Google and if you didn’t know they can even track you down even if you’re not a Facebook user on the Facebook website/App

          • Prasad

            Boss. the Adware is present on many apps on official store. Some of those apps can’t be used at all. Apple is constantly tracking apps and immediately blocking Developers if found misusing iOS users data. I dont see that happening on Android. Google is not making much money from Android to invest in all these things…its understandable but I guess fans dont agree…

  • Ronak Kothari

    Won’t changing the ROM itself work?

    • Diego

      It will if its not compromised by the malware.

  • lu99ke

    Wouldnt flashing back-to complete stock Fw solve this issue?? As opposed to buying new phone?

    Burn to the ground and start again…


    Oh no! Stagefright 3.0!

    • Android Developer

      Not the same at all. This is a real app.

  • Matthew Allison

    Maybe if your 360 Security you praised so much was any good it would be able to remove it!

    • Jugo

      Nice lol

      • Angela Moore

        So far this year I have made 69,000 dollars with my pc and I am a full time student . I am attached with a business entity that outsource online jobs . I heard about it last year and I have made a great cash . It is just great and I am just so happy to have that option …..Look here for more info ..

      • Bettie Battle

        .❝my neighbor’s mom is making $98 HOURLY on the lap-top❞….A few days ago new McLaren F1 subsequent after earning 18,512$,,,this was my previous month’s paycheck ,and-a little over, $17k Last month ..3-5 h/r of work a day ..with extra open doors & weekly paychecks.. it’s realy the easiest work I have ever Do.. I Joined This 7 months ago and now making over $87, p/h..Learn More right Here….
        ➤➤➤ http://GlobalWorldEmploymentsVacanciesReportsCentre/GetPaid/$97hourly… ❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦

      • Maxine Smith

        .❝my neighbor’s mother is making $98 HOURLY on the lap-top❞….A few days ago new McLaren F1 subsequent after earning 18,512$,,,this was my previous month’s paycheck ,and-a little over, $17k Last month ..3-5 h/r of work a day ..with extra open doors & weekly paychecks.. it’s realy the easiest work I have ever Do.. I Joined This 7 months ago and now making over $87, p/h..Learn More right Here….
        ➤➤➤ http://GlobalWorldEmploymentVacanciesReportInsider/GetPaid/$97hourly… ❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦</blockquote

    • jhornom1

      Trust own androidauthority If you wana get a reasonable income through laptop and if you have a reliable internet connection then you should be able to know how you make your income by laptop.this is very simple to know just vist my website
      and sign up there for more details
      http:// TipsForYou

    • 스건다

      In my case 360 IS the malware that itself downloads and installs itself repeatedly even after uninstall and also downloads useless programs

  • David Barajas

    “Gotta laugh at Android security…”
    Blah blah blah. If you download Candy Crush or Facebook infected with malware OUTSIDE the official app store you get what’s coming to you.
    So many of these dumb a## people comment about Android security think iOS don’t have its own issues/problems.

    Neither is perfect but I still like and enjoy both.

    • Prasad

      Haha….insecure android found. Who said iOS is perfect?

      But it is clear iOS is miles ahead in security

      • David Barajas

        I lost count of the people who said it that’s who.

        • Prasad

          It is stupid to call anything perfect because there is nothing called percent in world…it’s all relative

  • I have paid $ 8569 this month.I’m finally getting 97 Dollars p/h,….It’s time to take some action and you can join it too.It is simple,dedicated and easy way to get rich.Three weeks from now you will wish you have started today….

    ===>>> Visit Website in my РŔŐŦĨĹĔ


  • Rob Earls

    Just to be clear, when you flash a new ROM, it typically copies across fresh system files overwriting each individual system file. It does not wipe the directory before it starts and it’s not like a “ghost image” which overwrites the partition bit by bit. So if there are infected files there, they will still exist after flashing.

    • Chester

      If it’s infecting the actual system applications, then flashing should fix the issue. IMG files are used in the flash process and the entire /system partition is replaced. You are restoring that img to the /system partition and overwriting the partition in the process. You can also wipe the /cache directory from bootloader. Using ADB and fastboot you can flash, format, or erase entire partitions for that matter. So all you really need is a knowledgeable enough friend in this case, not rushing out to buy a new phone. Although, I might be in the market for any “hopelessly infected” phones that people want to offload on the cheap.

  • saran p.s

    How come an app root a device? If it cant, it can’t do any harm to an unrooted device.

    • Android Developer

      There are apps that use exploits, like TowelRoot, which works on a huge number of devices and Android versions.

  • canalac

    Or maybe you could jump to a mobile with latest updates from google, hardening code, blocked root, etc… Like the blackberry priv!

  • Peter

    360 Security is crap. I’m not denying the adware but I’ve actually encountered malware and pesky web ads that take control over the phone and open Play Store with 360 Security loaded. Hard to take them seriously…

  • Jack Silsan

    At least we have options in the operational system market


    Bullshit stuff. Buy a new phone? Really? I would flash the entire stock system again. Why you have to buy a new phone for something that sits inside your system. Anything in memory is removable, unless you cannot access that memory. With root and android going hand in hand, everyone knows about ROMS, stock roms, etc. The rooting methods used by those Trojans cannot work on every device. It’s next to impossible to attain root just by system modifications provided the developer of the virus is working for Google knowing the exact security loopholes. It a concern but surely not as deadly as changing your device

    • Winston Purnomo

      Well the article said “for most people”, AKA non-nerds

      • King_Android

        You take it to a store with a knowledgeable worker which seems to be non-existent now a days in carrier stores, they should be able to reimage the device quick and easy.


        AKA the people who buy “GALAXY” phones. Seeing that they have the most market share

        • Chirag Thakkar

          I have a Micromax phone and I think it has the same type of adware as described. Done factory reset three times but it is still there.


        Correct, my friend. But it is kinda misleading or might afraid people more than it’s reality

    • mobilemann

      rootkits don’t work like that kid.


        Lol woot? I Didn’t mention anything regarding rootkits there.

        • mobilemann

          you and most of the people who comment here, are idiots.

          • DUBEY VISHAL

            Right. So you read an article, and post a link to similar one and tell me an idiot. Had such stuff so easily possible, Chainfire would have been the biggest hacker, here. Get your basics right, my friend, before calling other idiot ;)

          • mobilemann

            what type of viruses survive through complete re-installations?

          • DUBEY VISHAL

            None will. That’s what I said. There is no need to buy a new device. Just reflash stock

          • mobilemann

            (rootkits can)

          • EQ

            Only if bootloader is infected and it isn’t replaced in a full reflash since system NAND will get formated and what was there is gone including the malware. Same basics as on a PC. Formating your HDD will dislink all files from the MBT and nothing that was there previoulsy can run by itself nor be seen and will be overwritten as HDD gets filled.

  • Jonathan Rioux

    Oh. I see. Now’s the time to rebrand : 359 Security!

  • King_Android

    Root that sucker and install a custom rom… or reimage your device. Getting a new device is a little extreme.

  • Timothy Anderson

    Anyone dumb enough to side load or get these apps from third parties deserves it. Why would you not wait 3 extra days to get the real app when it comes out? I don’t get it.

    • Prasad

      Because most android users don’t want to pay.

  • Kamui

    Whaaattt? “Lookout reports that successfully embedded instances of this malware are “nearly impossible” to remove, and that the only solution for most users will be to purchase a new phone.”

    You say that If I reflash (clean every partiton 1st) my phone with a factory image, there will still be an infection? Nonsense… stop scaring people pls. And most people have a geeky friend that knows how to flash a phone

  • trwb

    Really this is a non issue. Only install apps from Google play like you are supposed to and this won’t be a problem.

    • Peter

      Infected apps are most likely also in play store. Wouldn’t be the first time

    • Prasad

      I get more adware n crapware on official store than outside APKs

      • trwb

        The outside apks likely have malicious stuff hidden in them that you don’t usually see.

        • Prasad

          Agreed….just saying the official apps look more dangerous as many of them run in background and access many features

  • How about flashing a new ROM? Will it still be there?

  • Devon

    Lolololol buy a new phone… So the virus roots your phone, so it’s a system app…just clean install a new rom. Come on Android authority, you promote android but don’t promote what makes android great like rooting and flashing

    • Peter

      Flashing does not remove it. Read the article first…

      • Choda Boy

        What article did you read? I see nothing about flashing. It does say “factory reset” which is not flashing. Know WTF you are talking about…

      • Choda Boy

        What article did you read? I see nothing about flashing. It does say “factory reset” which is not flashing. Know WTF you are talking about…

  • s2weden2000


  • Tonic Blue

    Thanks for the tip, staying away from Android phones. IPhone or windows phone

  • s2weden2000

    a lot of dem aijphoney experts here again..lube up …

  • Maxine Smith

    .❝my neighbor’s mother is making $98 HOURLY on the lap-top❞….A few days ago new McLaren F1 subsequent after earning 18,512$,,,this was my previous month’s paycheck ,and-a little over, $17k Last month ..3-5 h/r of work a day ..with extra open doors & weekly paychecks.. it’s realy the easiest work I have ever Do.. I Joined This 7 months ago and now making over $87, p/h..Learn More right Here….
    ➤➤➤ http://GlobalWorldEmploymentVacanciesReportInsider/GetPaid/$97hourly… ❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦❦</blockquote

  • Paul

    And if it were so easy for an app to “root” your phone, I think we’d have more apps rooting phones rather than jump through hoops with adb and changing the bootloaders and oem unlocking devices and trying to find a way around a locked bootloader, etc. They make it seem like it’s easy for a piece of software to root the phone and embed itself. Nearly impossible? Dumb, it just means if it does happen to be able to root your phone (because your phone is ridiculously simple to root) then it will put itself in /system which any factory reflash of the ROM or 3rd party ROM or even ROM update will rebuild. So changing the ROM out will rebuild /system and away goes the ‘trojan’. Anybody who sticks to the play store or trusted 3rd party stores is fine, anybody with a phone that is hard or difficult to root should be fine. Anybody with half a brain should be fine.

    • Chris Jones

      This is exactly what I’ve wondered — how the malware is supposedly getting around a locked bootloader, which last time I checked, is only possible via ADB. And like you, I’m getting sick of these stories that lead people to believe that Android is inherently dangerous when staying with the trusted app stores will pretty much prevent these infections. Last time someone told me that he moved to iOS because he was tired of getting viruses on his Android phone, it turned out that he was a frequent user of pirated APKs.

  • metronome

    Get in quick for the ultimate TV stick, more powerful than intel and more than double the spec of the budget chinese brands!

  • Virusgunz

    How about reflashing your phone

  • Choo Choo

    Time for two removable memory cards, and no internal memory at all.

  • iKrontologist

    And we wonder why Android Authority is more of a place site for Apple fans to visit and iBloviate on and on about how secure their lame iOS is than Android. Obviously Android Authority has been infiltrated by Apple Insider’s iB**** Plugging Devices and senior Applewellian Thought Police! lol….

    Lookout? Yeah right! haha….. If it was so great, why do they give trials away for Free? Oh….. yeah…. that’s just the hook, to get you using it. Like what Drug Lords and the Mob put out to get people signed on to their drug scam. But once you’re hooked or signed up there ain’t no leaving! xD … much do you get here at Android Authority for every Paid sign up link you get? :D

  • Thakur Ankit Dyeonia

    My phone is infected by this adware from last 2 months. I have tried factory reset, couple of adware removal tools and even avg antivirus but non worked. Avg detected it as trojan virus in 2 system apps. Alarm clock is one of them. Avg was unable to remove it as it is a system app. They aware is downloading and installing apps without my permission. Also even after uninstalling those unwanted apps, it is reinstalling them.

  • 스건다

    Any suggestion on how to get rid of these malwares, if already got infected??