An adware family has been found to be capable of automatically installing apps on Android devices, targeting a flaw in the way Google's mobile operating system handles accessibility features, a report has found. The adware reportedly installs apps even if a user has cancelled the installation.
Dubbed Shedun, the Android malware has been found to download unwanted apps as well as exploit a vulnerability in Android that makes it possible for the malware to find alternative ways to interact with the infected device, security firm Lookout reports. Shedun is one of the three adware programs Lookout had reported earlier this month. Shedun, Kemoge, and Shaunet are part of the same Android adware family that root infected device to install malicious apps and serve ads. These adware programs have reportedly affected more than 20,000 popular Android apps via unofficial channels. Their official Google Play counterparts were not affected, the firm had added.
But it appears Shedun is capable of doing much more than initially anticipated. The adware attempts to fool users into enabling accessibility features because they are allegedly needed by a utility to help stop inactive apps. To gain a user's trust, the app notes that the notification is a "standard privacy risk reminder."
"By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user," wrote Michael Bentley, head of research and response at Lookout in a blog post.
Once a user enables the accessibility feature, Shedun displays a pop-up ad for an app. This is where it gets trickier. Even if a user closes the pop-up, the app is downloaded and installed. This happens because any app with access to accessibility features can determine the text on the screen and scroll through the permissions list and initiate the installation without any interaction from the user. The culprits behind it have likely partnered with clients to guarantee them 100 percent ad display and installation.
"Shedun likely uses this technique in order to increase its revenue by guaranteeing the installation and execution of advertised applications. After all, marketing companies pay more money for advertising campaigns where the user actually interacts with the application after downloading it instead of simply downloading and forgetting about it," Lookout explained in a blog post.
The security firm expects to see more such malware in future. The state of security on Google's Android platform continues to remain alarming.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.