Dangerous Malware Found In 19 Apps Silently Attacks Android Devices

A new Android malware that can root devices to gain control and tweak system settings has been uncovered by security experts. The malware also uses anti-emulation and code abstraction checks.

Security researchers at the cybersecurity company, Lookout Threat Lab, discovered the threat and called it AbstractEmu. The malicious software gets on a device by appearing to be legitimate software.

AbstractEmu has been found in 19 apps, with one of the apps already downloaded more than 10,000 times on the Google Play Store before it was removed. The apps are also distributed by third-party stores like the Samsung Store and Amazon AppStore.

Fortunately, Google promptly removed the said apps on its store to protect users after being alerted by the cybersecurity company. "Of the 19 apps we found related to the malware, most of them were disguised as utility apps such as password or money managers, and system tools like file managers and app launchers. All of them appeared to be functional to the users," Lookout revealed.

"While rare, rooting malware is very dangerous. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction. Elevated privileges also give the malware access to other apps’ sensitive data, something not possible under normal circumstances," Lookout revealed in a blog post.

Simply put, "AbstractEmu does not have any sophisticated zero-click remote exploit functionality used in advanced APT-style threats, it is activated simply by the user having opened the app," the security researchers noted. "As the malware is disguised as functional apps, most users will likely interact with them shortly after downloading," they added.

The cybersecurity researchers also identified that the threat actors behind AbstractEmu are a "well-resourced group with financial motivation." The firm also said, "Their code-base and evasion techniques — such as the use of burner emails, names, phone numbers and pseudonyms — are quite sophisticated. We also found parallels between the malware and banking trojans, such as the untargeted distribution of their apps and the permissions they seek."

Threat actors use the package manager to "silently install a new app and grant it a number of intrusive permissions, such as access to contacts, call logs, SMS messages, location, camera and microphone." Apart from this, "the app will modify settings to grant itself risky capabilities or reduce the device’s security. With these capabilities, the app can be used to conduct phishing attacks and provide the actor with all the information needed for illicit access to user accounts."

This newly discovered threat to Android devices is another reminder to consumers to always be extra careful when installing apps.