Rooting malware found in at least 19 Android mobile apps

Cyber Researchers for Lookout have found 19 mobile apps which are carrying a new, rooting malware, which was available on Google Play as well as third-party Android app stores as part of a trojan malware campaign to infect users’ phones. 

From there, the trojan malware can gain privileged access to an Android operating system by leveraging the rooting process. The threat actor can then escalate their permissions and install additional malware without user interaction.  

Due to this new malware variant’s ability to avoid anti-emulation security checks via use of code abstraction, it has been dubbed “AbstractEmu”. Reportedly, most of the time the malware was hidden in utility apps like password and money managers as well as system tools like file managers and app launchers to target a wide swath of Android users.  

So far, the infected apps were mainly found on Google Play, Amazon Appstore and Samsung Galaxy Store. Other app stores affected included Aptoide and APKPure. 

What is AbstractEmu? 

AbstractEmu is embedded into seemingly-legitimate applications and, once downloaded onto a target, goes on to exploit a wide number of vulnerabilities to root the device. Once completing that, a new app called “Settings Storage” is installed and given permissions required to access: 

• Contacts.  
• Call logs. 
• SMS messages.  
• Camera and microphone.  
• Geo-location data.  

Other actions the malicious software allows threat actors to performs like altering a number of settings, allowing them to reset the device password, install more malicious packages, perform screen overlay and draw over other windows to hide activities, disable Google Play Protect, and so on. 

The malware targets a number of exploits to accomplish its goals, including high-scoring vulnerabilities like: 

• CVE-2020-0041, a privilege escalation vulnerability not previously seen exploited for Android apps in the wild.  
• CVE-2020-0069, a privilege escalation vulnerability existing in MediaTek chips, which are used by many smartphone manufacturers. 
• As well as modifying the public exploit code for CVE-2019-2215, an elevation of privilege vulnerability, as well as CVE-2020-0041, to increase support for more targets. 

A number of the permissions and abilities gained by the malicious “Settings Storage” app are usually utilised by financially-motivated threat actors to intercept 2FA codes sent via SMS, capture content displayed on screen, screen overlay, connect and interact with other apps, and more. 

Who’s been affected? 

AbstractEmu notably takes advantage of vulnerabilities that lead to indiscriminate, mass exploitations, leveraging common vulnerabilities from 2019 and 2020 to launch cyber attacks against as many users as possible. Reportedly, the majority of those impacted are from the United States, however it is believed that people in over 17 countries have been hit by the malware. Notably, while the majority of phishing ads found for the apps were in English, one advertisement was in Vietnamese. 

Infected apps include: 

• Lite Launcher 
• Anti-ads Browser 
• Data Saver 
• All Passwords 
• Night Light 
• My Phone 
• Phone Plus. 

One of the infected apps, Lite Launcher, had over 10,000 downloads before it was removed. 

However, even with this, it can still be difficult to determine how many infected apps are out there as it can be difficult for users to detect if they’ve been targeted by the malware. 

Cyber researchers at Lookout said that “If the user tries to run the app, it will exit and open the legitimate settings app”, which “itself does not contain any malicious functionality”, as a diversion tactic. Detection, instead, “depends entirely on the files that its C2 server provides during execution”. 

Unfortunately, by the time the AbstractEmu was discovered by the Lookout cyber researchers, the threat actor “had already disabled the endpoints necessary to retrieve this additional payload from C2”, preventing them “from learning the ultimate aim of the attackers”. Although, it’s surmised that the threat actors are a “well-resourced group with financial motivation” as the trojanised apps had sophisticated evasion techniques and were disguised as a multitude of different apps. 

The names for malicious packages and IoCs have also been shared by Lookout to help with identification of malicious activity. 

Recommendations 

To avoid malware like this, users and organizations are strongly recommended to: 

• Regularly keep the mobile operating system up-to-date with the latest security patches. 
• Download apps only from official stores, as malware taken down there might still be available on less reputable stores.  
• Always be careful when installing unknown apps, regardless of the app store. 
• Have a dedicated mobile security software to help secure your mobile device against threats like OS and app vulnerabilities, phishing, malware and network threats. 

However, for those who have become victims of the malware already and they can do about it, things are quite dire in regards to rooting malware. 

Stephen Banda, Senior Manager of Security Solutions for Lookout, told Help Net Security that “In an ideal scenario, the end user’s device would have been protected by a mobile security solution with the detection efficacy to be able to prevent the malware from infecting the device. But in the case where a device has been rooted and perhaps additional malware installed, there are only a couple reasonable mitigations options”. 

Banda said that while an infected user “could do a factory reset and then re-install the operating system and restore the data on the device from a clean backup”. This method will work for the majority of cases but it isn’t fix-all “and does not fully resolve the issue”. When a device is “infected with persistent malware, the malware is designed to automatically reinstall itself onto the device following a factory reset”. 

Due to having no real-time detection feature and only really being capable of wiping the phone, Mobile device management solutions also prove rather fruitless in dealing with persistent malware like this. 

Unfortunately, for a number of users already infected with rooting malware wanting a complete solution to their woes, the only risk-free way is wiping the device, disposing of it, and buying a completely new one.  

Once again, in the cybersecurity world, prevention is better than cure, especially for increasingly-sophisticated rooting malware.