Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

Tens of Thousands Download “AbstractEmu” Android Rooting Malware

Malware hunters at Lookout Security have discovered a new Android rooting malware that managed to score tens of thousands of downloads through Google Play and third-party application stores.

Malware hunters at Lookout Security have discovered a new Android rooting malware that managed to score tens of thousands of downloads through Google Play and third-party application stores.

Dubbed AbstractEmu, the malware attempts to gain root access by exploiting several vulnerabilities identified in 2019 and 2020, as well as two from 2015. The adversary even modified publicly available exploits for two 2019 and 2020 CVEs, to ensure that they can target a larger number of devices.

The targeting of such security errors suggests that the malware operators were targeting users globally, Lookout said in a report documenting the threat. Users in 17 countries were affected, with the United States hit the hardest.

“This is a significant discovery because widely-distributed malware with root capabilities have become rare over the past five years. As the Android ecosystem matures there are fewer exploits that affect a large number of devices, making them less useful for threat actors,” the company said.    

The security researchers have identified 19 applications related to the distribution of AbstractEmu, including utility apps and system tools, such as password managers, app launchers, and data saving software, all of which appeared functional to their users.

The most popular of these programs was Lite Launcher, which had over 10,000 downloads in Google Play at the time it was discovered. Other applications include All Passwords, Anti-ads Browser, Data Saver, My Phone, Night Light, and Phone Plus.

In addition to Google Play, the applications were being distributed through Amazon Appstore and Samsung Galaxy Store, as well as on Aptoide, APKPure, and other app marketplaces. The utilities were being promoted through advertisements on social media and Android-related forums.

Advertisement. Scroll to continue reading.

[ READ: Apple Points to Android Infections in Argument Against iOS Sideloading ]

Once a Trojanized application is installed, it performs device checks, then starts gathering a large amount of information from the device, which is sent to the command and control (C&C) server alongside details on the supported commands.

Based on commands received from the server, the applications can collect files, contact information, device details, execute embedded root exploits; and install new apps using root access. Encoded shell scripts are used during and after the rooting process.

The security researchers also discovered that a so-called “Settings Storage” application is installed silently with extensive permissions, including access to the  camera, microphone, contacts, calls, messages, and location data.  

“Rooting Android or jailbreaking iOS devices are still the most invasive ways to fully compromise a mobile device. What we need to keep in mind — whether you’re an IT professional or a consumer — is that mobile devices are perfect tools for cyber criminals to exploit, as they have countless functionalities and hold an immense amount of sensitive data,” Lookout concludes.

Related: Apple Points to Android Malware in Argument Against iOS Sideloading

Related: Fake Netflix App Luring Android Users to Malware

Related: Android Banking Trojan ‘Vultur’ Abusing Accessibility Services

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...