Security researchers at the Lookout Threat Labs have discovered a new Android malware, dubbed AbstractEmu, with rooting capabilities distributed on Google Play and major third-party stores, including the Amazon Appstore and Samsung Galaxy Store.


Lookout researchers named the malware "AbstractEmu" after using code abstraction and anti-emulation checks to avoid running while under analysis. A total of 19 related applications were uncovered, seven of which contain rooting functionality, including one on Play that had more than 10,000 downloads. Google promptly removed the app as soon as Lookout notified them of the malware to protect Android users. However, the other app stores are likely still distributing them.


While rare, rooting malware is very dangerous. Using the rooting process to gain privileged access to the Android operating system allows the threat actor to silently grant themselves dangerous permissions or install additional malware — steps that would typically require user interaction. Elevated privileges also give the malware access to other apps' sensitive data, something not possible under normal circumstances.


While there's not much known about who is behind AbstractEmu, Lookout thinks the actors are a well-resourced group with financial motivation. Their code-base and evasion techniques — such as the use of burner emails, names, phone numbers and pseudonyms — are pretty sophisticated. Lookout also found parallels between the malware and banking trojans, such as the untargeted distribution of their apps and the permissions they seek.


Researchers say one of the significant clues as to the threat actors behind AbstractEmu is based on the widespread, untargeted distribution of the apps. Of the 19 apps found related to the malware, most were disguised as utility apps such as password or money managers and system tools like file managers and app launchers. All of them appeared to be functional to the users. 


For the full story, please visit https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign.