New Rooting Malware Distributed on Google Play That Evade Detection & Attack Android Devices

A new rooting malware has been detected recently by the security researchers at the Lookout Threat Lab, and this new flaw is distributed on several third-party app stores, even on the Google Play Store also. 

This new rooting malware is dubbed “AbstractEmu,” and it enables an attacker to gain superuser privileges on the affected devices; it’s a feature that has rarely been seen in Android malware in recent years.

The AbstractEmu malware was distributed through 19 utility applications from several stores like Google Play Store, Amazon Appstore, Samsung Galaxy Store, and many others.

Among those 19 applications, there is one launcher, which made its way to Google Play Store, from where it was already downloaded 10,000 times. However, when Lookout Threat Lab notified Google about this new malicious app, Google promptly removed the app from Google Play Store to protect Android users.

Aim of AbstractEmu

Till now, it’s not yet clear that who is behind AbstractEmu, but it’s believed that the operators of AbstractEmu are a well-resourced group with financial motivation.

Even their code-base and deception techniques clearly depict that they are sophisticated, as they use:-

• Burner emails
• Burner names
• Burner phone numbers
• Burner pseudonyms

To gain superuser privileges the AbstractEmu downloads and executes one of the five exploits for old Android vulnerabilities once it reaches the victim’s device; here are the five vulnerabilities that AbstractEmu exploits:-

• CVE-2020-0041
• CVE-2020-0069
• CVE-2019-2215
• CVE-2015-3636
• CVE- 2015-1805

While the security analysts at Lookout Threat Lab, Kristina Balaam and Paul Shunk, stated:-

“AbstractEmu does not have any sophisticated zero-click remote exploit functionality used in advanced APT-style threats, it is activated simply by the user has opened the app. As the malware is disguised as functional apps, most users will likely interact with them shortly after downloading.”

Data collected

Once the AbstractEmu is installed on the victim’s devices, it starts collecting the following data to send it to its command and control server:-

• Manufacturer
• Model
• Version
• Serial
• IP Address
• Wi-Fi/Bluetooth MAC addresses
• Package name of app
• Status of risky permissions/capabilities granted to the app
• Carrier Name
• Number
• IMEI
• Timezone
• Account information
• App process ID
• Command numbers supported by the app
• Root status
• Package name of the installer app

Once done with the above information, now AbstractEmu operators give the malware various commands like, get root privileges, collecting and stealing files depending on how new they are or matching a given pattern, and installing new apps.

Moreover, the permissions granted to the attackers through root access are similar to the permissions used by banking trojans like receiving any two-factor authentication codes sent through SMS, running in the background, and launching phishing attacks.

But, after rooting the device, AbstractEmu can track the:- 

• Notifications
• Take screenshots
• Record screen
• Block the device
• Reset device password

That’s why experts have strongly recommended users stay alert and keep their devices secure; users should install proper security software that promises to fight against all types of mobile threats like phishing, OS and app vulnerabilities, malware, and network threats.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates