InfoSec Insider

Rooting Malware Is Back for Mobile. Here’s What to Look Out For.

Hank Schless, senior manager of security solutions at Lookout, discusses AbstractEmu, mobile malware found on Google Play, Amazon Appstore and the Samsung Galaxy Store.

Over the last several years, as the Android ecosystem matured, widely-distributed malware with rooting capabilities has become rare. But its rarity doesn’t mean it’s not still a threat.

By definition, rooting malware is extremely dangerous because it can gain privileged access to the Android operating system. This enables the malware to grant itself further permissions, change system settings and install additional malware, steps that usually require user interaction. Armed with these invasive controls, threat actors can then conduct targeted phishing attacks, steal sensitive data needed to compromise user accounts or conduct surveillance.

Register now for our LIVE event!

Recently, the Lookout Threat Lab uncovered the first widespread rooting malware campaign in five years. Dubbed AbstractEmu due to its use of code extraction and anti-emulation checks to avoid detection, the malware was found on Google Play and other prominent third-party app stores such as Amazon Appstore and the Samsung Galaxy Store. Lookout notified Google and the apps were promptly removed.

Using AbstractEmu as an example. Here are things you should look for to ensure you don’t fall victim to rooting malware.

There Are Plenty of Vulnerabilities to Go Around

AbstractEmu is a great example of how threat actors can leverage rooting exploits to indiscriminately target the general population. Most vulnerabilities, once discovered, are patched over with updates. But users are protected only if they take the time to update their devices.

There are numerous vulnerabilities within the Android ecosystem that are ripe to be exploited. This campaign targets very contemporary vulnerabilities from 2019 and 2020, including CVE-2020-0041, a vulnerability not previously seen used in the wild. AbstractEmu also targeted CVE-2020-0069, a vulnerability found in MediaTek chips used by dozens of smartphone manufacturers. Collectively, there are millions of devices that are affected by this vulnerability.

Things Are Not Always What They Seem: Trojanized Apps

Something that is not unique to rooting malware, but has aided the distribution of the AbstractEmu campaign, is trojanizing apps. By disguising its malicious intent behind seemingly innocuous apps, the threat actor is able to lure unsuspecting users into downloading the malware.

Lookout researchers found a total of 19 apps related to the malware, seven of which contained rooting functionalities. One app that was found on Google Play was confirmed to have been downloaded more than 10,000 times. AbstractEmu disguised itself as a number of different apps, including utility apps, such as password managers, and system tools like app launchers or data savers.

AbstractEmu does not have sophisticated zero-click remote exploit functionality used in advanced APT-style threats like Pegasus. But it doesn’t need this capability, since the malware will be activated when the user opens the trojanized app shortly after downloading it.

Rare or Not, Always Use Cybersecurity Best Practices

Protecting yourself against AbstractEmu highlights a couple of the cybersecurity best practices that we should all keep in mind, whether you’re an IT professional or just an individual. Tablets and smartphones are how most of us stay connected to work and manage personal responsibilities, which means they hold an immense amount of data. These devices are also very sophisticated and have countless functionalities that bad actors can leverage.

To protect yourself and your organization, you should always keep your device’s operating system up to date. I also recommend using official app stores only, and even then, exercise caution when downloading something unknown to you.

Hank Schless is senior manager of security solutions at Lookout.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.

Suggested articles