November 19, 2015

Trojanized Adware Family Abuses Accessibility Service

Zoomed in image of smartphone highlighting iOS accessibility menu.
Platform(s) Affected
Threat Type
Entry Type
Threat Summary
Platform(s) Affected
Threat Summary

Shedun, a family of trojanized adware, is more sophisticated than many think.

In addition to rooting a victim’s device, Lookout observed Shedun abusing the Android Accessibility Service for its malicious means. Using the accessibility service toolset in the delivery of malware is pretty uncommon, so we took a deeper look. Last week we told you about three trojanized adware families: Shuanet, ShiftyBug, and Shedun. These families root the victim’s device after being installed and then embed themselves in the system partition in order to persist, even after factory reset, becoming nearly impossible to remove. We call it “trojanized adware,” because the end goal of this malware is to install secondary applications and serve aggressive advertising.

Shedun takes its adware a step further.

Not only does it download the unwanted apps, but it actually attempts to install them by tricking a user into enabling Shedun to control the Accessibility Service, which is designed to provide alternative ways to interact with mobile devices. Shedun does not exploit a vulnerability in the service, instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.

The video below shows a sample of Shedun doing just this. After rooting the device, Shedun (likely masquerading as a popular app or system utility), asks the user to turn on the accessibility service. The messaging is ironically misleading:

“[This app] uses accessibility features to help stop inactive apps you aren’t using. You’ll see a standard privacy risk reminder, Please feel at ease about turning it on.”

First, it lies about what accessibility features do (they do not help stop inactive apps, nor do they provide maximum acceleration). Then it attempts to placate the victim to “feel at ease” about turning on the service - sure, trust them, nothing to worry about.

This does require some victim interaction in that she must turn on the accessibility service initially if she falls for the “feel at ease” message. But from there the installation of further apps is automatic.

Shedun then shows the victim a pop-up advertisement for another application. When the victim clicks away from the pop up, the app downloads anyway. As soon as the download is complete, Shedun uses the accessibility service to automatically approve all the permissions for the app and install it--without any additional user interaction.

This isn’t the first time we’ve seen a piece of malware abusing the accessibility service. A Japan-targeted threat also abused the service with the goal of surveilling its victims. Namely, it collected messages from the popular messaging service LINE, when one of these messages was read by the accessibility service.

Shedun likely uses this technique in order to increase its revenue by guaranteeing the installation and execution of advertised applications. After all, marketing companies pay more money for advertising campaigns where the user actually interacts with the application after downloading it instead of simply downloading and forgetting about it. In this case, Shedun takes that choice away, leaving the user angry at the advertised app that they have been forced to experience, while simultaneously taking the money from ad agencies, despite having violated their policies. This class of malware is evolving quickly and we believe we’ll see more sophisticated families surfacing in the future.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats


September 19, 2023


Google released a patch for a new zero-day vulnerability in Chrome tracked as CVE-2023-4863, which CISA also listed in their database.

September 18, 2023

ASPL 2023-09-01 / CVE-2023-35674

September 20, 2023

Deblind Analyzed: Lookout Identifies and Dissects Android App Used by Russian Sandworm APT's Infamous Chisel Spyware Tooling