Security researchers helped remove 19 apps from Google Play Store that installed a rare malware to hijack the smartphone.
The malware, called AbstractEmu, discovered by Lookout cybersecurity researchers, is able to use the “root” features of the affected Android device to perform various activities, such as monitoring notifications, capturing screenshots, recording the screen, and even resetting the device’s password or locking it completely.
“Using the root process to gain privileged access to the Android operating system, the threat tool can silently grant itself dangerous permissions or install additional malware that normally requires user interaction,” the researchers write.
Applications containing malware; disguised as utilities such as password managers, data savers, app launchers, and the like, and were fully functional. Of the 19 apps removed, researchers claim that seven exhibited rooting ability and one had more than 10,000 downloads.
While researchers say that rooting malware has almost completely disappeared in the past five years, AbstractEmu is proof that they are not yet gone. In addition, the researchers note that the steps the malware took to avoid detection using code abstraction and anti-emulation controls were impressive.
AbstractEmu relies on one of five exploits for legacy Android vulnerabilities to root and hijack a device once it gets inside. After taking control, it collects all kinds of data about the device and sends it to a remote server and waits to collect additional data.
“At the time of discovery, the threat actor behind AbstractEmu had already disabled the necessary endpoints to receive this additional data from C2 [command and control server], which prevented us from learning the attackers’ ultimate intent,” the researchers write. . .