Shedun¶
Auto-rooting adware trojan discovered by Lookout in August 2015. Shedun repackaged ~20,000 popular apps (WhatsApp, Facebook, etc.) with root exploit payloads, installed itself to the /system partition to survive factory resets, and was among the first malware to abuse Android Accessibility Service to install apps without user consent. Has a MITRE ATT&CK entry as ShiftyBug (S0294).
Overview¶
| Property | Value |
|---|---|
| First Seen | August 2015 |
| Type | Trojanized adware with auto-rooting |
| Attribution | Linked to Yingmob group (also behind HummingBad, disputed) |
| Aliases | ShiftyBug (MITRE S0294), Kemoge, Shuanet, GhostPush, Hummer |
Distribution¶
Legitimate apps repackaged with the malicious payload and distributed through third-party app stores. Approximately 20,000 popular apps were repackaged.
Capabilities¶
| Capability | Implementation |
|---|---|
| Auto-root | Used ExynosAbuse, Memexploit, Framaroot exploits |
| System persistence | Installed to /system partition, survived factory resets |
| Accessibility abuse | Pioneered using Accessibility to install apps without user consent |
| Aggressive ads | Served advertisements and generated fraudulent revenue |
| Payload delivery | Downloaded and installed additional malware |
Significance¶
Shedun was among the first to demonstrate that Accessibility Service could be weaponized for silent app installation. This technique became the cornerstone of modern banking trojans from Gustuff onward. The factory-reset-surviving /system persistence made removal extremely difficult without reflashing firmware.
Naming Controversy¶
Lookout claimed HummingBad is just Shedun renamed. Check Point (who coined "HummingBad") and ElevenPaths argued they are distinct families. The overlap comes from shared rooting techniques and the Yingmob actor group. HummingWhale is an evolved variant found on Google Play.