AbstractEmu Android malware can root your device, lock you out
Security researchers at the Lookout Threat Lab have alerted app stores and the general public of an Android malware dubbed AbstractEmu masquerading as a fully functional security, utility, or privacy app. The malware gains unauthorized root access to the victim's device and can lock them out of their device, install other malware, and access all the sensor data and stored information.
Major third-party app stores also found distributing the malware
In a blog post, Lookout explained that the malware was spreading through 19 apps on the Google Play Store, Amazon Appstore, and the Samsung Galaxy Store besides third-party app stores such as APKPure and Aptoide, among others. Seven of these apps contained rooting functionality. An app called Lite Launcher was downloaded 10,000+ times from the Play Store before Google booted it upon Lookout's request.
AbstractEmu could be work of sophisticated group with financial motivation
Lookout concluded that it couldn't identify the bad actors behind the malware. However, it said the hackers seemed to be "a well-resourced group with financial motivation" identifiable by their sophisticated "use of burner emails, names, phone numbers, and pseudonyms." Additionally, Lookout's Kristina Balaam and Paul Shunk remarked that AbstractEmu's discovery is significant because widely distributed malware with root capability is a rarity now.
AbstractEmu uses a three-stage infection process to gain root access
The AbstractEmu malware is dangerous because users may inadvertently install it assuming it would work as a harmless app. On the surface, infected apps do work normally but unbeknown to the user, they trigger a three-stage infection process. Eventually, spyware, disguised as "Setting Storage" storage manager, is installed with root access. This can access the victim's contacts, call logs, messages, location, camera, and microphone.
Despite dangerous root access, malware's end goal remains unknown
Thanks to the aforementioned root access, the spyware effectively has more access to the victim's device than the victim themself. Bad actors could lock victims out, set malware to draw over other apps, capture banking screenshots, view notifications, record screen activity, and disable Google's Play Protect service. The malware's capabilities exceed those needed for banking scams and premium service scams like other modern malware.
Ensure you're running latest Android security patch to stay safe
To stay protected from the AbstractEmu malware, immediately update the Android version your phone is running on. All the vulnerabilities used for the attack were reportedly patched as of the official March 2020 Android security update. Additionally, steer clear of third-party app stores unless you are confident. Moreover, if you spot an app delisted from the Play Store, promptly uninstall it from your device.
