Name of Malware: Shopper (LeifAccess)

Type of Malware: Trojan, Ad Fraud, Adware

Affected Operating Systems: Android

Affected Device Types: Mobile phones, smartphones, tablets

Impact: high

What is Shopper?

Shopper, also known as LeifAccess, is an Android trojan that masquerades as a system app and abuses Android’s Accessibility services. It can run silently in the background to install apps, post fake Google Play reviews and display ads without user interaction. Its objectives include artificially boosting app ratings through fake reviews, committing click fraud (ad fraud) and secretly downloading or updating additional malicious apps or payloads on the device.

How did I get infected with Shopper?

Shopper is not distributed via the official Play Store but spreads through social- engineering campaigns: Users are tricked by fake ads or APKs disguised as system updates into downloading the malware. The malicious APK must then be manually installed – users often disable Play Protect or ignore warnings to grant the trojan the necessary permissions (e.g. Accessibility).

What do I have to do now?

After infection, revoke all maliciously granted permissions (especially Accessibility and device-admin rights) and uninstall the trojan app – if necessary, reboot into Safe Mode to override the malware’s protection mechanisms. Then restart the device and scan it with a reputable mobile security app. For protection, only install apps from official sources, disable installations from unknown sources, review app permissions, and use a reputable mobile security solution.

Further information on removing this malware can be found under Removing infections from PCs, laptops etc.

Technical specifications

Further information on this malware can be found on the website of our project partner Fraunhofer FKIE.