Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign
Security researchers at Lookout have identified a new rooting malware distributed on Google Play and prominent third-party stores such as the Amazon Appstore and the Samsung Galaxy Store.
We named the malware “AbstractEmu” after its use of code abstraction and anti-emulation checks to avoid running while under analysis. A total of 19 related applications were uncovered, seven of which contain rooting functionality, including one on Play that had more than 10,000 downloads. To protect Android users, Google promptly removed the app as soon as we notified them of the malware.
This is a significant discovery because widely-distributed malware with root capabilities have become rare over the past five years. As the Android ecosystem matures there are fewer exploits that affect a large number of devices, making them less useful for threat actors.
While rare, rooting malware is very dangerous. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction. Elevated privileges also give the malware access to other apps’ sensitive data, something not possible under normal circumstances.
Who is the threat actor and what do they want?
While we don’t know exactly who is behind AbstractEmu, we think the actors are a well-resourced group with financial motivation. Their code-base and evasion techniques — such as the use of burner emails, names, phone numbers and pseudonyms — are quite sophisticated. We also found parallels between the malware and banking trojans, such as the untargeted distribution of their apps and the permissions they seek.
Indiscriminate targeting
One of the major clues as to the threat actors behind AbstractEmu is based on the widespread, untargeted distribution of the apps. Of the 19 apps we found related to the malware, most of them were disguised as utility apps such as password or money managers, and system tools like file managers and app launchers. All of them appeared to be functional to the users. This includes “Lite Launcher” which had more than 10,000 downloads before it was taken off Play.
The types of vulnerabilities AbstractEmu takes advantage of also point to a goal of targeting as many users as possible, as very contemporary vulnerabilities from 2019 and 2020 are leveraged. One of the exploits used CVE-2020-0041, a vulnerability not previously seen exploited in the wild by Android apps. Another exploit targeted CVE-2020-0069, a vulnerability found in MediaTek chips used by dozens of smartphone manufacturers that have collectively sold millions of devices. As a hint to the threat actor’s technical abilities, they also modified publicly available exploit code for CVE-2019-2215 and CVE-2020-0041 in order to add support for more targets.
The way the AbstractEmu threat actor distributes these apps is also indiscriminate. In addition to Google Play, Amazon Appstore and Samsung Galaxy Store, we found them on Aptoide, APKPure and other lesser known app stores and marketplaces. In terms of promotions, we uncovered advertisements on social media and Android-related forums. While most were written in English, we did find one instance where the malware was promoted in Vietnamese. Though our telemetry showed that people in the United States were the most impacted, people from a total of 17 countries were victimized by AbstractEmu.
Parallels to banking trojans
In addition to the untargeted distribution of the app, the extensive permissions granted through root access align with other financially motivated threats we have observed before. This includes common permissions banking trojans request that provide them the ability to receive any two-factor authentication codes sent via SMS, or run in the background and launch phishing attacks. There are also permissions that allow for remote interactions with the device, such as capturing content on the screen and accessing accessibility services, which enables threat actors to interact with other apps on the device, including finance apps. Both of these are similar to the permissions requested by the Anatsa and Vultur malware families.
Beyond these, Mandrake was another financially motivated threat which had extensive spyware capabilities similar to those seen with AbstractEmu. By having complete insight into the device and its activity, the actors can tailor their attacks to the specific target and increase the likelihood of success.
Multilayer malicious flow
The threat actor behind AbstractEmu takes great lengths to ensure they evade detection — from the initial infection to the third stage of the infection. Each of the techniques aren’t unique on their own, but when deployed as part of a campaign they indicate just how well-resourced the threat actor is.
AbstractEmu does not have any sophisticated zero-click remote exploit functionality used in advanced APT-style threats, it is activated simply by the user having opened the app. As the malware is disguised as functional apps, most users will likely interact with them shortly after downloading.
Initial infection: anti-emulation and device inspection
Beyond the legitimate functionalities of the trojanized apps lies a series of steps taken to ensure AbstractEmu isn’t detected, which are activated as soon as the user opens the app. The first step is to check whether the infected device is a real device or is emulated. Similar to checks seen in an open source library EmulatorDetector, the malware will look at the device's system properties, list of installed applications and filesystem.
Once the device passes that initial analysis, the app will begin communicating with its command and control (C2) server via HTTP, expecting to receive a series of JSON commands to execute. Each app contains hard-coded commands that it supports. To decide which command to execute, the app will send a large amount of data to the C2 server, including both the commands it has support for, and device data such as the device’s manufacturer, model, version and serial number, telephone number and IP address.
Other information AbstractEmu’s C2 server checks include whether the app has root access, which app was used to install the malicious app and whether the requested permissions and capabilities have been granted.
In total we found four supported commands embedded within these apps, though not all of the apps offer the same capabilities.
The rooting process: the heart of the malicious flow
At the center of AbstractEmu’s infection flow is getting root access to the Android device. By rooting the device, the malware is able to silently modify the device in ways that would otherwise require user interaction and access data of other apps on the device.
To ensure the process goes smoothly, the apps are embedded with hidden, encoded files used during and after the rooting process — including exploit binaries targeting different vulnerabilities. By default, these binaries are executed in a specific order, although the C2 server can change that order based on how the device is configured.
In addition to these binaries, the apps also contain three encoded shell scripts and two encoded binaries copied from Magisk that are used during and after the rooting process. Magisk is a tool that allows Android users to acquire root access on their devices.
Two of the shell scripts are used to execute the exploit binary, gain root and then use elevated privileges to install the Magisk components for further root access. The newly installed Magisk components are used to execute the final shell script which first extracts an APK embedded in a binary to the device.
Then the package manager is used to silently install a new app and grant it a number of intrusive permissions, such as access to contacts, call logs, SMS messages, location, camera and microphone. In addition, the app will modify settings to grant itself risky capabilities or reduce the device’s security. With these capabilities the app can be used to conduct phishing attacks and provide the actor with all the information needed for illicit access to user accounts.
The “Settings Storage” App
The silently installed app is disguised as “Settings Storage” on the Android device. If the user tries to run the app, it will exit and open the legitimate settings app. The app itself does not contain any malicious functionality, which makes it harder to detect. Instead, it depends entirely on the files that its C2 server provides during execution.
At the time of discovery, the threat actor behind AbstractEmu had already disabled the endpoints necessary to retrieve this additional payload from C2, which has prevented us from learning the ultimate aim of the attackers.
Rare or not, always keep your OS up to date
While we weren’t able to discover the purpose of AbstractEmu, we gained valuable insights into a modern, mass distributed rooting malware campaign, which has become rare as the Android platform matures.
Rooting Android or jailbreaking iOS devices are still the most invasive ways to fully compromise a mobile device. What we need to keep in mind — whether you’re an IT professional or a consumer — is that mobile devices are perfect tools for cyber criminals to exploit, as they have countless functionalities and hold an immense amount of sensitive data.
To ensure you or your organization stay secure, we recommend diligently keeping your operating system up to date. Additionally, we recommend downloading apps from official stores only, as malware taken down from these stores may still be available elsewhere. Regardless of which store you use, always exercise caution when installing unknown apps.
Of course, you should also have dedicated mobile security software to secure against all mobile threats, including phishing, OS and app vulnerabilities, malware and network threats.
Indicator of compromise
AbstractEmu APKs
(Download CSV file here)
File hashes - Exploit Files
(Download CSV file here)
File hashes - Rooting Tools
(Download CSV file here)
Network IOCs
(Download CSV file here)