Thousands of popular Android apps readily available for download from different websites are riddled with adware, according to security researchers. These malicious apps auto-root the host device, and then become virtually impossible to remove.
Security firm Lookout reports that it has found over 20,000 samples of such malicious apps. These apps masquerade themselves as official versions of several popular apps such as Facebook, Google Now, Candy Crush, WhatsApp, and many others. The apps root the device, exposing it to a host of more attacks. India is among the countries that are most affected by this vulnerability.
The report reveals that it has found that many of the players behind development of these apps simply repackage the content lifted from an official app coupled with malicious code. The attackers are reportedly uploading these apps to third-party app stores.
What's interesting about this attack is that the apps seem to be fully-functional and offer the same experience as their official counterparts. So a victim might not get suspicious. Furthermore, the exploits - that have been found to belong to Shedun, Shuanet, and ShiftyBug families - install themselves as system apps and get access to high privileged system-level processes. What makes it more alarming is that these apps cannot be removed by typical methods.
"Unlike older types of adware that were obvious and obnoxious, prompting users to uninstall them, this new type of adware is silent, working in the background. These malicious apps root the device unbeknownst to the user. To add insult to injury, victims will likely not be able to uninstall the malware, leaving them with the options of either seeking out professional help to remove it, or simply purchasing a new device," the security firm wrote in a blog post.
Most of these apps, however, only seem to display ads on the infected devices. This is not the first time an attack of this sort had been orchestrated to bombard a victim's device with ads. Malware named Ghost Push which was found in Google Play last month had also installed malicious apps that would display plenty of ads on a device.
But because these malicious apps have system-level access, it makes the device vulnerable. Once an app gains system-level access, it can retrieve critical data such as passwords from other apps.
The report further emphasises how unsafe it is to download apps from untrusted sources. It is advised that users only download apps from Google Play and have a look at the data the app seeks permission for at the time of installation.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.