Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0294: ShiftyBug

ShiftyBug is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. [1]

MobileS0294MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

ShiftyBug matters because it represents Android malware that combines adware with auto-rooting behavior. For leaders, the key issue is not just unwanted advertising; rooting can weaken device security boundaries and may turn a mobile nuisance into an incident involving privileged access, persistence, and loss of device integrity.

Executive priority

Treat ShiftyBug-style behavior as a mobile security and resilience concern where Android devices are used for business access, workforce identity, operations, or regulated data workflows. Priority questions are: which Android devices can access enterprise resources, how quickly can rooted or tampered devices be identified, and whether mobile incident response can distinguish ordinary adware from malware that escalates privileges or modifies system binaries.

Technical view

ATT&CK provides no detection text for ShiftyBug, but the relationships indicate validation should focus on Android privilege escalation through vulnerability exploitation and possible modification of client/system software binaries. SOC, mobile security, and IR teams should confirm whether they can observe rooting indicators, unexpected changes to system binaries, suspicious app provenance, and device integrity failures. Because tactics and platforms are not fully specified on the software object, local mobile device management, endpoint, and app inventory evidence is required to scope exposure.

Likely telemetry

  • Android device inventory and enrollment status
  • Mobile device management or enterprise mobility management compliance records
  • Root/jailbreak or device integrity attestation results
  • Installed application inventory and app provenance
  • Mobile security alerts for trojanized or adware-like applications

Detection direction

  • Validate that mobile detection logic does not treat adware as low priority when rooting or privilege escalation indicators are also present.
  • Look for combinations of suspicious app installation, device integrity failure, root indicators, and unexpected system binary changes rather than relying on a single adware signature.
  • Tune out expected administrative or test devices where rooting is authorized, but ensure those exceptions are documented and isolated from enterprise access where appropriate.
  • Review coverage against the related techniques T1404 Exploitation for Privilege Escalation and T1645 Compromise Client Software Binary in the mobile ATT&CK domain.
  • Because ATT&CK provides no official detection guidance for this malware, confirm coverage through local telemetry review and controlled validation rather than assuming tool visibility.

Mitigation priorities

  • Maintain Android patch and OS version governance to reduce exposure to privilege-escalation vulnerabilities.
  • Restrict enterprise access from devices that fail integrity, rooting, or compliance checks.
  • Use managed app sources and app inventory review to reduce exposure to trojanized applications.
  • Define mobile IR procedures for triaging suspected rooted devices, including containment, evidence preservation, and re-enrollment or replacement decisions.
  • Prioritize controls that provide audit evidence: device compliance state, app inventory, patch posture, and response actions.
Analyst notes and limits

The supplied ATT&CK object identifies ShiftyBug as an Android auto-rooting adware family and links it to privilege escalation exploitation and compromise of client software binaries. That makes device integrity, patch posture, and app provenance the main defensive decision points. The object does not provide aliases, tactics, labels, or official detection content.

This take is limited to the supplied ATT&CK fields, the Lookout external reference, and the two provided relationships. It does not establish current activity, specific affected versions, attribution, business exposure, or guaranteed detection coverage. Local device population, mobile telemetry, and enterprise access patterns are required for risk assessment.

Official MITRE ATT&CK definition

ShiftyBug

ShiftyBug is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Mobile T1645 Compromise Client Software Binary

ShiftyBug is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.CitationLookout-Adware
Mobile T1404 Exploitation for Privilege Escalation

ShiftyBug is packed with at least eight publicly available exploits that can perform rooting.CitationLookout-Adware
Relationship explorer

All related ATT&CK context

uses · Technique T1645: Compromise Client Software Binary Mobile uses · Technique T1404: Exploitation for Privilege Escalation Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
da6bcf7b8a98b627...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle da6bcf7b8a98…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lookout-Adware

    Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.

    Open source URL
  2. [2]
    ShiftyBug

    (Citation: Lookout-Adware)

  3. [3]
    mitre-attack S0294
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use