top of page

AbstractEMU - Another reason to take android security seriously.

Updated: Nov 10, 2021



Android malwares have evolved throughout the past several years and now pose an imminent threat to enterprise and personal devices. Also, as a global phenomenon, the pandemic had a powerful impact on the mobile threat landscape. The consequences of android malware are severe because it can unleash an array of threats like spyware, data leakage, or, much worse, a bot that can use a mobile device to perform nefarious activities.


Recently, security researchers at Lookout have discovered a rare Android malware that infects & takes over complete control of Android phones with rooting capabilities. This malware uses code abstraction and anti-emulation checking to dodge running under analysis and sandboxes and hence the name. AbstractEmu malware masked inside 19 Android applications distributed from Google Play store and other third-party app stores.


Once on the device, the malware will begin scraping and sending device information back to its C2 server and waiting for further commands. The threat actor uses the information gathered to execute one of five exploits for older Android security flaws (CVE-2020-0041, CVE-2020-0069, CVE-2019-2215, CVE-2015-3636, and CVE-2015-1805) to gain root access and stealthily grant themselves dangerous permissions to access sensitive information.


With rooting ability can itself escalate privileges and have the liberty to do whatever it wants on the system without user approval or action like installing additional malware. The attackers can then monitor notifications, capture screenshots or record the screen, lock or even reset the device password, accessibility services access to other apps' sensitive data, and launch phishing attacks in the background. AbstractEmu's behavior pattern imitates banking trojans that attempt to steal financial information from their victims using permissions obtained.


Speculation is that the malware creator(s) should be "a well-resourced group" with financial gain motivation and purpose to target as many users as possible indiscriminately and widespread. The ultimate aim of this attacker is still unknown as the threat actor already disabled the necessary endpoints to retrieve the additional payload from C2 Server.


Some of the apps and their installation packages discovered to contain the AbstractEmu malware are below:

Application

Package Name


com.mobilesoft.security.password



com.zooitlab.antiadsbrowser



com.smarttool.backup.smscontacts



com.st.launcher.lite



com.dentonix.myphone



com.nightlight.app



com.phoneplusapp

Besides being a threat to each individual, mobile malware can also revolt against enterprises. Usually, for mobile devices, companies do not place the same security measures as servers and workstations. Many organizations are now allowing users to work with the devices of their choice, which gives the employees the flexibility to use the device as their personal & work device but spawns an increased risk associated with Security and Compliance.


With BYOD Policy in place, organizations need to stay secure by administering best-of-breed Mobile threat management solutions with advanced features like Personal-Work data segregation without compromising privacy and remediation actions like blocking or selectively wiping a device.


As the development of mobile technology is increasing and the devices become more sophisticated, threats on mobile devices are growing exponentially. User interactions and behaviors also play an essential role in threats, and each of us should be cultured to stay secure by perceiving common cyber threats and risks.

64 views0 comments

Recent Posts

See All

Comments


bottom of page