New Android Malware Can Take Over Your Phones and Gain Root Access (12st November 2021)

Ref# AL2021_40 | Date: Nov 12th 2021

A new Android malware vector discovered on February 20th, 2020, by lookout threat lab researchers has been linked to an unidentified threat actor that can root cellphones and take complete control of affected devices while also trying to avoid detection.

Summary

The malware has been dubbed “AbstractEmu” due to its use of code abstraction and anti-emulation checks to prevent it from operating while under investigation.

How it works

According to Lookout Threat Labs, it unearthed a total of 19 Android applications masquerading as utility apps and system tools such as password managers, money managers, app launchers, and data saving apps, seven of which contained rooting functionality. Only one of the rogue apps, Lite Launcher, made it to the official Google Play Store, where it received 10,000 downloads before being removed.

The apps are said to have been widely shared through third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as less well-known marketplaces such as Aptoide and APKPure.

“Despite its rareness, rooting malware is extremely dangerous. The threat actor can stealthily grant themselves damaging rights or install more malware by utilizing the rooting procedure to get privileged access to the Android operating system. These actions would ordinarily need user engagement “According to researchers at Lookout. “Elevated rights also allow the malware to access sensitive data from other apps, which is impossible in normal conditions.”

The attack chain is meant to use one of five exploits for older Android security holes to get root capabilities and take control of the device, retrieve sensitive data, and send it to a remote attack-controlled site once installed.

For more information on this vulnerability, kindly follow this URL:

https://www.tomsguide.com/news/abstract-emu-android-malware

Remediation

While there is no concrete patch available for this kind of vulnerability, the Guyana National CIRT recommends that users use the following measures to avoid the vulnerability.