The android threat disrupting airwaves

Person holding smartphone with security padlock symbol hovering above it
(Image credit: Shutterstock)

The Android operating system has long been a primary target for threat actors looking to infiltrate smartphones and tablets in order to steal our personal data or corporate login credentials. As the OS has evolved, so has its ability to provide some basic protections against certain threat types. Even so, attackers are still finding ways to infiltrate devices using tactics and malware that grant them root access to the device.

About the author

Hank Schless is Senior Manager of Security Solutions at Lookout.

For those unaware, rooting malware grants privileged access to the Android operating system. With such access, the malware can take full control of the device, grant itself permissions, change system settings, install additional malware and extract sensitive information. Threat actors armed with such controls and information can morph their attacks to conduct targeted phishing campaigns, steal sensitive data needed to compromise user accounts or conduct surveillance.

Rooting malware is a serious threat that continues to find its way onto popular app stores like Google Play, as well as other prominent third-party app stores such as the Amazon Appstore and the Samsung Galaxy Store. Because of this, users and enterprises need to be cautious

Recently, researchers at the Lookout Threat Lab discovered AbstractEmu, a novel rooting malware campaign that is the first of its kind in almost five years. The malware was given the name AbstractEmu because of its unique code extractions and anti-emulation checks which helped it avoid detection. AbstractEmu was first detected on the Google Play store before further discovery was made on the Amazon Appstore and the Samsung Galaxy Store. The infected apps were quickly removed from Google Play after Google was notified. Considering the dangers surrounding AbstractEmu, both businesses and users must be made aware of the tell-tale signs of rooting malware to avoid falling victim to this dangerous threat.

Vulnerabilities a plenty

AbstractEmu targeted known vulnerabilities that were first uncovered in 2019 and 2020, as well as CVEs (common vulnerabilities and exposures) that had not yet been flagged in the wild, like CVE-2020-0041. Another vulnerability AbstractEmu targeted was CVE-2020-0069, a flaw located in MediaTek chips, a hardware commonly used by major smartphone manufacturers.

CVEs are regularly discovered and reported on, but attackers take advantage of the window between discovery and patching to execute attacks. AbstractEmu is a prime example of how hackers leverage rooting exploits to target vast numbers of people at random by exploiting vulnerabilities. In most cases, vulnerabilities are discovered and quickly patched with updates by the system operators. However, with mobile devices, the user is only safe if they have updated their device, which may take days or weeks if the end-user doesn’t understand the criticality of the vulnerability.

Trojanized apps an issue

Similar to most mobile malware, rooting malware has a better chance of success if it is able to hide itself in a legitimate-looking app in a technique known as trojanization. This increases the chances of the malware being downloaded by unsuspecting victims.

Lookout security researchers detected 19 apps that had connections to AbstractEmu, with seven of these apps possessing rooting capabilities. Further analysis revealed that one of these trojanised apps had been downloaded over 10,000 times from the Google Play Store. This particular app had morphed into a variety of different apps from security and utility apps like password managers to systems tools including app launchers and data savers.

When breaking down AbstractEmu, the malware lacked the advanced surveillance capabilities and sophisticated zero-click remote exploit functionality documented in other advanced APT-style threats like Pegasus. Despite not having these capabilities, the malware is still dangerous as it activates once the victim downloads the trojanised app and opens it.

Follow best practices and cybersecurity hygiene

Mobile threats like AbstractEmu are becoming more common as cybercriminals increase their attacks against mobile devices.. Whether you are a security professional or an everyday user, following security best practices will go a long way in protecting both yourself and your device.

Tablets and smartphones help many stay connected in this digital age and contain large amounts of sensitive and personal information. For businesses, many employers have adopted a hybrid working stance, with data now readily available in the cloud and accessible anywhere from any device. This enables individuals to be just as productive while working flexibly. Yet, this gives security teams the challenge of defending users across this increasingly disparate and vulnerable environment. Given the level of sophistication, mobile devices have many capabilities that threat actors can exploit.

As a rule of thumb, all software on mobile devices must be kept up to date. Usually, the operating system will have regular updates to patch vulnerabilities and flaws, and these should be enabled by the device's user. It’s also important to only download applications from official app stores. Read the reviews and research the developers behind the apps before downloading. Even then, always be cautious and report any suspicious behavior to the relevant authorities.

As an extra layer of protection against the various mobile attack vectors, consider implementing a dedicated mobile security app on all your mobile devices. There are non-intrusive mobile security solutions that can detect, remediate and protect against app-based attacks, malware, phishing and device-based attacks. We all protect our computers with dedicated security so why shouldn’t we do the same for our mobile devices?

At TechRadar Pro, we've featured the best online cybersecurity courses.

Hank Schless is Senior Manager of Security Solutions at Lookout