July 6, 2016

A Spike in Shedun, Also Known as HummingBad

Person holding phone with skulls and cross-bone on display.

There is a particularly dangerous family of malware, known as Shedun, which Lookout discovered and first reported last November. Shedun is trojanized adware that roots Android devices, masquerading as legitimate apps such as Facebook, Twitter, WhatsApp and Okta’s enterprise single sign-on app. Three similar families are associated with Shedun: Shuanet, ShiftyBug, and one we later discovered, BrainTest.To make matters more confusing, different vendors have different names for Shedun. You may have heard Shedun called HummingBad, Hummer, or ANDROIDOS_LIBSKIN, or right_core (the APK name). Recent reports on HummingBad raise alarms of a malicious and widespread family one of our competitors claims to have first discovered in February 2016. This is the same as Shedun, which we discovered several months before then, in November 2015. This family is extremely malicious, but it is not new.

What is new

We have observed a recent spike in Shedun detections on Lookout’s mobile threat network. We believe this is attributable to the authors building new functionality or distributing the malware in new ways.

Shedun detections spiked over 300% in March, and further spiked over 600% in the past month.

Shedun detections spiked over 300% in March, and further spiked over 600% in the past month.

Shedun and the related families follow a particular pattern — they are adware that silently roots devices, allowing them to remain persistent even if the user performs a factory reset. Shedun also uses its root privileges to install additional apps onto the device, further increasing ad revenue for the authors and defeating uninstall attempts.

Lookout customers are protected from Shedun, also known as HummingBad and Hummer, as they have been since we discovered it last Fall.

Authors

Kristy Edwards

Director, Product Management - Security Intelligence

Kristy Edwards is a recognized thought leader in cybersecurity,  information risk and privacy. She has led cybersecurity and data privacy discussions with technical audiences and government authorities in the US, the EU and Africa. She is a co-inventor of US patents in database security.Kristy joined Lookout in 2015 as Director of Product Management for Security Intelligence.   Recognizing mobile as the new endpoint and as both a top enabler and  risk for enterprises and government, she’s merged her interests in security and mobile.  Kristy has built Information Security and Data Privacy teams in enterprise software, Cloud and HealthIT organizations. She has been an advisor on product development, information risk and architecture, and has served on cybersecurity advisory boards. Her career started in mobile, holding positions at Psion (Symbian) in San Francisco and London --  long before happily returning to mobile in joining Lookout.

Platform(s) Affected
Android
Threat Type
Malware
Entry Type
Threat Summary
Platform(s) Affected
Android
Malware
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell