Tens of Thousands Download “AbstractEmu” Android Rooting Malware

Malware hunters at Lookout Security have discovered a new Android rooting malware that managed to score tens of thousands of downloads through Google Play and third-party application stores.

Dubbed AbstractEmu, the malware attempts to gain root access by exploiting several vulnerabilities identified in 2019 and 2020, as well as two from 2015. The adversary even modified publicly available exploits for two 2019 and 2020 CVEs, to ensure that they can target a larger number of devices.

The targeting of such security errors suggests that the malware operators were targeting users globally, Lookout said in a report documenting the threat. Users in 17 countries were affected, with the United States hit the hardest.

“This is a significant discovery because widely-distributed malware with root capabilities have become rare over the past five years. As the Android ecosystem matures there are fewer exploits that affect a large number of devices, making them less useful for threat actors,” the company said.    

The security researchers have identified 19 applications related to the distribution of AbstractEmu, including utility apps and system tools, such as password managers, app launchers, and data saving software, all of which appeared functional to their users.

The most popular of these programs was Lite Launcher, which had over 10,000 downloads in Google Play at the time it was discovered. Other applications include All Passwords, Anti-ads Browser, Data Saver, My Phone, Night Light, and Phone Plus.

In addition to Google Play, the applications were being distributed through Amazon Appstore and Samsung Galaxy Store, as well as on Aptoide, APKPure, and other app marketplaces. The utilities were being promoted through advertisements on social media and Android-related forums.

[ READ: Apple Points to Android Infections in Argument Against iOS Sideloading ]

Once a Trojanized application is installed, it performs device checks, then starts gathering a large amount of information from the device, which is sent to the command and control (C&C) server alongside details on the supported commands.

Based on commands received from the server, the applications can collect files, contact information, device details, execute embedded root exploits; and install new apps using root access. Encoded shell scripts are used during and after the rooting process.

The security researchers also discovered that a so-called “Settings Storage” application is installed silently with extensive permissions, including access to the  camera, microphone, contacts, calls, messages, and location data.  

“Rooting Android or jailbreaking iOS devices are still the most invasive ways to fully compromise a mobile device. What we need to keep in mind — whether you’re an IT professional or a consumer — is that mobile devices are perfect tools for cyber criminals to exploit, as they have countless functionalities and hold an immense amount of sensitive data,” Lookout concludes.

Related: Apple Points to Android Malware in Argument Against iOS Sideloading

Related: Fake Netflix App Luring Android Users to Malware

Related: Android Banking Trojan ‘Vultur’ Abusing Accessibility Services