A newly detected Android malware is able to root infected tech to take total control, while tweaking system settings unnoticed. The malware is also able to escape detection using anti-emulation and code abstraction checks.

A bundle of trouble for Android users

Security researchers from Lookout Threat Labs have named the new malware AbstractEmu. The team of researchers encountered it bundled together with 19 different utility applications distributed through Google Play and other third-party application stores like Amazon Appstore, Aptoide, the Samsung Galaxy Store and APKPure.

Applications bundling AbstractEmu included dedicated password managers and tools like app launchers and data savers. All of these options provide the functionality to evade raising user suspicions.

The malicious applications were successfully removed from Google Play Store’s available products after the researchers at Lookout reported their findings. However, it is likely that many other app stores are still distributing the bundles.

Lite Launcher, a branded app launcher, was one of the applications used to deploy the AbstractEmu malware on Android user devices, and it had around 10,000 downloads to its credit before being removed by Google Play from its listings.

Commenting on the new form of malware in a statement, the team at Lookout Threat Labs said:

“AbstractEmu does not have any sophisticated zero-click remote exploit functionality used in advanced APT-style threats, it is activated simply by the user having opened the app. As the malware is disguised as functional apps, most users will likely interact with them shortly after downloading.”

How AbstractEmu operates

Following installation, AbstractEmu malware begins harvesting and transmitting stolen system information to its dedicated command-and-control server, while the malicious software awaits fresh commands.

To successfully root the Android devices it is infecting, AbstractEmu employs multiple tools targeting several known vulnerabilities, such as the bug tracked as CVE-2020-0041, which has never been exploited in connection with Android apps – until now.

The new malware also utilises a CVE-2020-0069 exploit to take advantage of a vulnerability present in MediaTek chips. These chips are used by numerous smartphone makers that, combined, have sold millions of communications devices.

The threat operators responsible for AbstractEmu have adequate skills and are tech savvy enough to add support for further targets using freely available code for both CVE-2020-0041 and CVE-2019-2215 exploits.

The researchers at lookout commented:

“This is a significant discovery because widely-distributed malware with root capabilities have become rare over the past five years. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction.”

The AbstractEmu malware will wait for any commands issued by its C2 server, which can order it to harvest and then exfiltrate data files based on a number of factors, such as how recent they are or whether they match a particular pattern. The server can also command it to root infected devices, or even install brand-new apps of its choosing.

The malware can also acquire screen grabs, lock devices, reset passwords and monitor notifications.