October 28, 2021

AbstractEmu: Mobile Rooting Malware

How Lookout Detects and Protects

Cybercriminals will try to use legitimate capabilities to obfuscate malicious activity. The true intentions of an app are oftentimes hidden in the data access permissions and behaviors, and even then, can be difficult to uncover without the right tools. Static and dynamic analysis of the industry’s largest mobile dataset enables Lookout researchers to protect customers by continuously discovering and researching new threats. Devices with Lookout installed can detect and be alerted if AbstractEmu is present on the device.

To learn more about the technical specifications of this campaign, including IOCs, read the full article here.

Key Findings

  • The malware uses rooting to gain privileged access to the device.
  • AbstractEmu exploits several vulnerabilities, including CVE-2020- 0041which hadn’t been knowingly exploited in the wild before.
  • In-depth technical analysis and IOCs are available here.

Background and Discovery Timeline

Researchers at Lookout have discovered 19 applications, some with as many as 10,000 downloads, present in mobile app stores. The malware, dubbed AbstractEmu, uses code abstraction and anti-emulation checks to avoid running while under analysis. This helps minimize the chance that it will be uncovered.

Capabilities and Affected Parties

AbstractEmu leverages advanced evasion tactics and has a sophisticated code base, which indicates that the threat actor group behind it is well-resourced and has financial motivations. The malware can exploit several vulnerabilities to gain root access to the device. CVE-2020-0041 had not been previously exploited in the wild, CVE-2020-0069 is a vulnerability found in MediaTek chips which are used by dozens of smartphone manufacturers, then the AbstractEmu actors also modify publicly available code for other CVEs in order to add support for more targets.

Once the device is rooted, AbstractEmu exhibits behaviors similar to banking trojans that Lookout has discovered in the past. This includes the ability to gain permissions that enable them to phish login credentials and two-factor authentication tokens delivered by SMS. In addition, we observed more advanced capabilities such as enabling the threat actor to interact with other apps on the device and capturing content on the screen.

Authors

Lookout

Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Discovered By
Lookout
Threat Type
Malware
Entry Type
Threat Guidances
Platform(s) Affected
Lookout
Malware
Threat Guidances

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell