Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Tens of Thousands Download “AbstractEmu” Android Rooting Malware

Malware hunters at Lookout Security have discovered a new Android rooting malware that managed to score tens of thousands of downloads through Google Play and third-party application stores.

Malware hunters at Lookout Security have discovered a new Android rooting malware that managed to score tens of thousands of downloads through Google Play and third-party application stores.

Dubbed AbstractEmu, the malware attempts to gain root access by exploiting several vulnerabilities identified in 2019 and 2020, as well as two from 2015. The adversary even modified publicly available exploits for two 2019 and 2020 CVEs, to ensure that they can target a larger number of devices.

The targeting of such security errors suggests that the malware operators were targeting users globally, Lookout said in a report documenting the threat. Users in 17 countries were affected, with the United States hit the hardest.

“This is a significant discovery because widely-distributed malware with root capabilities have become rare over the past five years. As the Android ecosystem matures there are fewer exploits that affect a large number of devices, making them less useful for threat actors,” the company said.    

The security researchers have identified 19 applications related to the distribution of AbstractEmu, including utility apps and system tools, such as password managers, app launchers, and data saving software, all of which appeared functional to their users.

The most popular of these programs was Lite Launcher, which had over 10,000 downloads in Google Play at the time it was discovered. Other applications include All Passwords, Anti-ads Browser, Data Saver, My Phone, Night Light, and Phone Plus.

In addition to Google Play, the applications were being distributed through Amazon Appstore and Samsung Galaxy Store, as well as on Aptoide, APKPure, and other app marketplaces. The utilities were being promoted through advertisements on social media and Android-related forums.

[ READ: Apple Points to Android Infections in Argument Against iOS Sideloading ]

Once a Trojanized application is installed, it performs device checks, then starts gathering a large amount of information from the device, which is sent to the command and control (C&C) server alongside details on the supported commands.

Based on commands received from the server, the applications can collect files, contact information, device details, execute embedded root exploits; and install new apps using root access. Encoded shell scripts are used during and after the rooting process.

The security researchers also discovered that a so-called “Settings Storage” application is installed silently with extensive permissions, including access to the  camera, microphone, contacts, calls, messages, and location data.  

“Rooting Android or jailbreaking iOS devices are still the most invasive ways to fully compromise a mobile device. What we need to keep in mind — whether you’re an IT professional or a consumer — is that mobile devices are perfect tools for cyber criminals to exploit, as they have countless functionalities and hold an immense amount of sensitive data,” Lookout concludes.

Related: Apple Points to Android Malware in Argument Against iOS Sideloading

Related: Fake Netflix App Luring Android Users to Malware

Related: Android Banking Trojan ‘Vultur’ Abusing Accessibility Services

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.