New Android Rooting Malware

Risk:
high
Damage:
high
Platform(s):
Android OS
Advisory ID:
ngCERT-2021-0058
Version:
N/A
CVE:
N/A
Published:
November 3, 2021

Summary


A new Android malware that can gain root access to smartphones, take complete control over infected smartphones and silently modify device settings while simultaneously taking steps to evade detection has been discovered. The malware named “AbstractEmu” has been found to be distributed via Google Play Store and third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure.

Description & Consequence


A total of 19 Android applications that posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps as been reported to contain the rooting functionality of the malware. The apps are said to have been prominently distributed via third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure. The apps includes, All Passwords, Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light, Phone Plus, etc.  

Rooting malware although rare, is very dangerous. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction. Elevated privileges also give the malware access to other apps' sensitive data, something not possible under normal circumstances.

Once installed, the attack chain is designed to leverage one of five exploits for older Android security flaws that would allow it to gain root permissions and take over the device, install additional malware, extract sensitive data,  and transmit to a remote attack-controlled server. Additionally, the malware can perform the following:

  1. Modify the phone settings to give app ability to:
  1. Reset the device password, or lock the device, through device admin.
  2. Draw over other windows.
  3. Install other packages.
  4. Access accessibility services.
  5. Ignore battery optimization.
  6. Monitor notifications.
  7. Capture screenshots.
  8. Record device screen.
  9. Disable Google Play Protect.
  1. Modify permissions that grant access to contacts, call logs, SMS messages, GPS, Camera, and Microphone.

Solution


Although the malicious apps were removed from Google Play Store, the other app stores are likely distributing them.

  1. Users should be wary of installing unknown or unusual apps, and look out for different behaviours as they use their phones.
  2. Reset your phone to factory settings when you suspect unusual behaviours in your phone.

Reference


  1. https://siliconangle.com/2021/10/31/new-android-malware-roots-infected-devices-takes-complete-control/  
  2. https://thehackernews.com/2021/10/this-new-android-malware-can-gain-root.html  
  3. https://www.securityweek.com/tens-thousands-download-abstractemu-android-rooting-malware
  4. https://www.bleepingcomputer.com/news/security/new-abstractemu-malware-roots-android-devices-evades-detection/ 

Revision


Related Articles