Shedun

Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet) targeting the Android (operating system) first identified in late 2015 by mobile security company Lookout (company), affecting roughly 20,000 popular Android applications. Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.

Avira Protection Labs stated that Shedun family malware is detected to cause approximately 1500-2000 infections per day. All three variants of the virus are known to share roughly ~80% of the same source code.

In mid 2016, arstechnica reported that approximately 10.000.000 devices would be infected by this malware and that new infections would still be surging.

The malware's primary attack vector is repackaging legitimate Android applications (e.g. Facebook, Twitter, WhatsApp, Candy Crush, Google Now, Snapchat) with adware included, the app which remains functional is then released to a third party app store; once downloaded, the application generates revenue by serving ads (estimated to amount to $2 US per installation), most users cannot get rid of the virus without getting a new device, as the only other way to get rid of the malware is to root affected devices and re-flash a custom ROM.

In addition, Shedun-type malware has been detected pre-installed on 26 different types of Chinese Android-based hardware such as Smartphones and Tablet computers.

Shedun-family malware is known for auto-rooting the Android OS using well-known exploits like ExynosAbuse, Memexploit and Framaroot (causing a potential privilege escalation) and for serving trojanized adware and install themselves within the system partition of the operating system, so that not even a factory reset can remove the malware from infected devices.

...
Wikipedia