The Lookout Threat Lab has discovered a new rooting malware that is available on Google Play as well as popular third-party stores like the Amazon Appstore and the Samsung Galaxy Store.
The malware was given the name “AbstractEmu” because it used code abstraction and anti-emulation checks to avoid operating while being investigated. A total of 19 similar apps were discovered, seven of which include rooting functionality, including one that has over 10,000 downloads on Google Play. As soon as we informed Google about the spyware, they swiftly uninstalled the app to protect Android users.
This is a noteworthy find because root-capable malware that has been extensively circulated has become rare in the last five years. There are fewer exploits that affect a significant number of devices as the Android ecosystem evolves, making them less helpful to threat actors.
Rooting malware is extremely harmful, despite its rarity. The threat actor might covertly grant themselves hazardous rights or install more malware by leveraging the rooting procedure to acquire privileged access to the Android operating system. These actions would typically need user participation. With elevated privileges, the malware can also access sensitive data from other apps, which is impossible under normal conditions.
What is the motivation of the threat actor?
While we don’t know who is behind AbstractEmu, we believe the performers are well-funded and motivated financially. Their code base and evasion strategies are highly advanced, including the use of burner emails, aliases, phone numbers, and pseudonyms. We also discovered similarities between the virus and banking trojans, such as their untargeted distribution of programmes and the rights they request.
AbstractEmu posed as a variety of apps, including utility apps like password managers and system features like app launchers and data savers. From the top left to the bottom right: Data Saver, Lite Launcher, My Phone, Night Light, All Passwords, Phone Plus, Anti-ads Browser
One of the major clues as to the threat actors behind AbstractEmu is based on the widespread, untargeted distribution of the apps. Of the 19 apps we found related to the malware, most of them were disguised as utility apps such as password or money managers, and system tools like file managers and app launchers. All of them appeared to be functional to the users. This includes “Lite Launcher” which had more than 10,000 downloads before it was taken off Play.
Targeting without discrimination
The extensive, untargeted distribution of the apps provides one of the most important signs as to the danger actors behind AbstractEmu. The majority of the 19 apps we discovered that were linked to the malware were disguised as utility programmes like password or money managers, as well as system functions like file managers and app launchers. To the users, they all seemed to be functional. This includes “Lite Launcher,” which received over 10,000 downloads before being removed from Google Play.
The AbstractEmu threat actor distributes these programmes in an indiscriminate manner as well. We discovered them on Aptoide, APKPure, and other lesser-known app shops and marketplaces in addition to Google Play, Amazon Appstore, and Samsung Galaxy Store. We discovered adverts on social media and Android-related forums in terms of promotions. While the majority of the messages were written in English, we did come across one instance where the malware was advertised in Vietnamese. Despite the fact that people in the United States were the most affected, AbstractEmu affected people from 17 different countries.
Banking trojans have a lot of similarities.
The vast permissions granted by root access, in addition to the app’s untargeted distribution, fit with other financially motivated threats we’ve seen before. This includes rights that banking trojans commonly require, such as the ability to receive any two-factor authentication tokens received through SMS or to run in the background and initiate phishing assaults. There are other rights that allow for remote activities with the device, such as collecting screen content and accessing accessibility services, allowing threat actors to interact with other apps on the device, including finance apps.
Both of these permissions are comparable to those sought by the Anatsa and Vultur malware families.
In addition to these, Mandrake was a financially driven threat with extensive spyware capabilities akin to AbstractEmu. The actors can personalise their attacks to the individual target and boost their chances of success by having complete knowledge into the gadget and its behaviour.
Malicious flow with multiple layers
From the first infection through the third stage of infection, the threat actor behind AbstractEmu goes to considerable measures to avoid discovery. Each of the approaches isn’t distinctive in and of itself, but when used as part of a campaign, they reveal the threat actor’s financial resources.
AbstractEmu lacks the complex zero-click remote exploit functionality found in advanced APT-style threats; instead, it is started simply by the user opening the app. Because the virus is disguised as useful programmes, most users will engage with them soon after they are downloaded.
Anti-emulation and device check during the initial infection
Beyond the trojanized apps’ legitimate functions, there are a series of procedures taken to prevent AbstractEmu from being discovered, which are launched as soon as the user starts the programme. The first step is to determine whether or not the infected device is real or mimicked. The virus will examine the device’s system parameters, list of installed programmes, and filesystem, similar to checks found in the free source library EmulatorDetector.
The programme will begin talking with its command and control (C2) server through HTTP once the device passes the initial analysis, expecting to receive a sequence of JSON commands to perform. Each app has its own set of hard-coded commands. The app will transmit a huge amount of data to the C2 server to determine which command to perform, including both the commands it supports and device data such as the device’s manufacturer, model, version, and serial number, phone number, and IP address.
The “Settings Storage” App is a programme that allows you to save your settings.
On the Android smartphone, the silently installed software is disguised as “Settings Storage.” If the user attempts to run the programme, it will close and open the legitimate settings app instead. Because the programme does not have any harmful functionality, it is more difficult to detect. Instead, it relies solely on the files provided by its C2 server during execution.
The threat actor behind AbstractEmu had already deactivated the endpoints required to retrieve this additional payload from C2 at the time of discovery, preventing us from discovering the attackers’ final goal.
Whether it’s rare or not, it’s always a good idea to keep your operating system up to date.
While we weren’t able to figure out what AbstractEmu was for, we did learn a lot about a modern, widely spread rooting malware campaign, which is becoming increasingly unusual as the Android platform matures.
The most invasive ways to fully compromise a mobile device are still rooting Android or jailbreaking iOS devices. Whether you’re an IT professional or a customer, keep in mind that mobile devices are ideal tools for cyber thieves to hack because they have numerous functions and store a large amount of sensitive data.
We advocate rigorously keeping your operating system up to date to guarantee your or your organization’s security. Furthermore, we advise only installing software from legitimate stores, as malware that has been removed from these stores may still be present elsewhere. Always be cautious while installing unknown apps, regardless of which store you use.
Of course, dedicated mobile security software is required to protect against all mobile risks, such as phishing, OS and app vulnerabilities, malware, and network threats.