The Google Play store has become better in recent years at policing malware, raising the bar for attackers, but well-crafted stealthy Trojans continue to slip in from time to time. Such is the case of AbstractEmu, a recently discovered threat masquerading as utility apps and capable of gaining full control over devices through root exploits.
"This is a significant discovery because widely distributed malware with root capabilities have become rare over the past five years," researchers from security firm Lookout said in a recent analysis. "As the Android ecosystem matures there are fewer exploits that affect a large number of devices, making them less useful for threat actors."
AbstractEmu was found on Google Play, Amazon Appstore, the Samsung Galaxy Store and other lesser used app stores like Aptoide and APKPure. It serves as a reminder to enterprises and mobile device users in general, that while downloading apps from trusted app stores significantly reduces the likelihood of mobile device compromise, it's not a silver bullet and additional protection and monitoring is required.
Choosing devices that offer regular and timely OS security patches is very important as well as limiting the number of apps on the device and removing unneeded ones.
Likely financially motivated global campaign
According to Lookout, the AbstractEmu malware was found inside 19 apps posing as password managers, app launchers, data savers, ambient lighting ad blocking and other utility apps. Some of the names include Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light, All Passwords and Phone Plus. Lite Launcher, for example, had over 10,000 downloads on Google Play when it was taken down.
All the apps appear to be fully functional, which suggests that they might be legitimate apps that were maliciously modified and renamed. In addition to being uploaded to various app stores, the researchers found the apps being promoted on social media and Android-related forums, primarily in English, though an ad in Vietnamese was also found.
"In addition to the untargeted distribution of the app, the extensive permissions granted through root access align with other financially motivated threats we have observed before," the researchers said. "This includes common permissions banking Trojans request that provide them the ability to receive any two-factor authentication codes sent via SMS or run in the background and launch phishing attacks.
"There are also permissions that allow for remote interactions with the device, such as capturing content on the screen and accessing accessibility services, which enables threat actors to interact with other apps on the device, including finance apps. Both are similar to the permissions requested by the Anatsa and Vultur malware families."
Users from at least 17 countries have been impacted by this new Trojan and even though the indiscriminate wide net targeting and other aspects suggest financial motivation, the spyware capabilities of the malware are extensive and could be used for other purposes, too.
Unfortunately, the researchers were not able to retrieve the final payloads served from the command-and-control server to confirm the attackers' goals.
Rooting, anti-emulation and dynamic payloads
The AbstractEmu lure applications that are distributed on app stores contain code that attempts to determine if the app is being run in an emulated environment or on a real device. This is an important detection evasion tactic because Google Play executes submitted apps in an emulator before scanning their code and so do many other security vendors.
The checks are similar to those from an open-source library called EmulatorDetector and involve checking the device's system properties, list of installed applications and filesystem.
Once the app determines that it is running on a real device, it will start communicating with the attackers' server and upload additional information about the device including its manufacturer, model, version, serial number, telephone number, IP address, timezone, and account information.
The server will then use this device information to determine whether the app should attempt to root the device -- gain full administrative privileges (root) by using exploits. The app bundles exploits for several vulnerabilities in encoded form and the order in which they get executed is determined by the command-and-control server's response.
AbstractEmu includes both newer and older root exploits: CVE-2020-0069, CVE-2020-0041, CVE-2019-2215 (Qu1ckr00t), CVE-2015-3636 (PingPingRoot) and CVE-2015-1805 (iovyroot).
CVE-2020-0069 is a privilege escalation vulnerability in the MediaTek Command Queue driver (or CMDQ driver) that affects millions of devices with MediaTek-based chipsets from different manufacturers. The vulnerability was patched in March 2020, but devices that are out of support and have not received security updates since then from their manufacturers, are still vulnerable.
CVE-2020-0041 is also a privilege escalation vulnerability that was patched in March 2020, but which affects the Android Binder component. The limiting factor is that only newer kernel versions have this vulnerability and many Android devices use older kernels.
Many Android manufacturers have made progress in recent years when it comes to releasing Android security updates in a timely manner, especially for their flagship models, but the Android ecosystem fragmentation continues to be a problem.
Manufacturers have multiple product lines with different chipsets and custom firmware for each one, so even if Google releases monthly patches, integrating those patches and shipping firmware updates for such a diverse portfolio of devices can take between days to months.
Generally newer and higher-end devices receive patches faster than older models, but the time to patch can differ significantly from manufacturer to manufacturer. While malware with rooting capabilities is not as effective as in the early days of Android, which could explain its decline in recent years, many devices are still behind on patches and are likely vulnerable even to one-year-old exploits like those used by AbstractEmu.
The rooting process used by the Trojan also uses shell scripts and binaries copied from Magisk, an open-source solution for rooting Android phones in a way that doesn't modify the system partition and is harder to detect.
If rooting is successful, the shell scripts silently install an app called Settings Storage and give it intrusive permissions without user interaction including access to contacts, call logs, SMS messages, location, camera and microphone.
The Settings Storage app itself does not contain malicious functionality and if the user tries to open it, it will automatically open the system's normal Settings application. However, the rogue app will execute additional payloads from the command-and-control server that will take advantage of its permissions.
The Lookout researchers did not obtain these additional payloads from the command-and-control server due to precautions taken by the attackers, but the app's behaviour is clearly aimed at making it harder for security products or APK code scanners to detect its malicious nature.
"While we weren’t able to discover the purpose of AbstractEmu, we gained valuable insights into a modern, mass distributed rooting malware campaign, which has become rare as the Android platform matures," the researchers said.
"Rooting Android or jailbreaking iOS devices are still the most invasive ways to fully compromise a mobile device. What we need to keep in mind -- whether you’re an IT professional or a consumer -- is that mobile devices are perfect tools for cyber criminals to exploit, as they have countless functionalities and hold an immense amount of sensitive data."