A new malware targeting Android smartphones has once again raised concerns about downloading apps from third-party or external App Stores. The ‘AbstractEmu’ malware has capabilities to gain ROOT access on an Android device, and it is spreading through fake or weaponized utility apps and system tools.
An as-yet-unidentified threat actor is actively lacing multiple utility apps and system tools with the AbstractEmu malware. The Android malware strain has the ability to root smartphones and take complete control over infected smartphones.
Aggressive Android malware spreading through weaponized apps available through third-party App Stores for Android OS:
Android malware isn’t new. Threat actors have long been attempting to infect Android smartphones and devices running the operating system.
Google has Play Protect deployed exclusively for the Android Play Store, the central repository of apps for Android devices. Play Store is the primary and official App Store for Android.
Unlike iOS App Store, the Android OS ecosystem does allow alternative App Stores. Moreover, Apple Inc. does not yet allow iPhone and iPad users to sideload apps.
We just released our findings on a new, rare #Android rooting #malware #AbstractEmu. In our research, we discovered apps related to the malware distributed on Google Play and third-party stores such as Amazon Appstore and the Samsung Galaxy Store. pic.twitter.com/gPmxgYe9nh
— Lookout Research (@LookoutThreats) October 28, 2021
Google allows Android OS to accept, install, and run sideloaded apps. The newly discovered Android malware uses this very freedom to spread.
Lookout Threat Labs, a security company, claims it discovered a total of 19 Android applications loaded with the new malware, they have dubbed AbstractEmu.
These apps posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps. Out of the 19, seven possessed the rooting functionality.
The malware, named AbstractEmu, used one of five exploits to root devices, including two recent ones, from 2020.
IOCs here: https://t.co/kq11w1RWam
I see Zscaler replaced the table with an image — the exact format that most researchers like their IOCs delivered.😂 pic.twitter.com/T7QTtlip6L
— Catalin Cimpanu (@campuscodi) October 28, 2021
Only one of the weaponized apps, called Lite Launcher, made its way to the official Google Play Store. It managed to garner a total of 10,000 downloads before Google’s automated threat detection systems purged the same from the Play Store.
The rest of the apps were available through third-party App Stores such as Amazon Appstore and the Samsung Galaxy Store.
AbstractEmu Android malware has multiple techniques to avoid detection during antivirus scans and analysis:
The malware reportedly earned its name owing to its use of code abstraction and anti-emulation checks to avoid running while under analysis. The cybersecurity company that discovered the malware claims, a “well-resourced group with financial motivation,” is behind the malware.
New AbstractEmu malware roots Android devices, evades detection #infosec https://t.co/cHXxKlvQfS
— Andreas Finstad – (4ndr34z) (@4nqr34z) October 29, 2021
Telemetry data reveals Android device users in the U.S. are the primary target. There are no clear objectives or payloads, yet. Nonetheless, gaining ROOT access to a device grants Administrator or absolute control over the same.
Apps with ROOT permission can grant themselves multiple system-level rights. They can extract data, install apps, download payloads, communicate with the Command and Control servers, and much more.