Duncan Riley| Siliconangle.com »
A new form of Android malware has been discovered in the wild that can root and take complete control of the infected Android device.
Discovered by researchers at Lookout Inc. and revealed late last week, the new malware has been dubbed “AbstractEmu.” Although the Australian flightless bird may come to mind with the name, the origins are from its infection path. AbstractEmu used code abstraction and anti-emulation checked to avoid running while under analysis.
The researchers discovered 19 related applications to AbstractEmu, with seven containing rooting functionality. One infected app found on Google Play had more than 10,000 downloads. The app has since been removed from Google Play, but the malicious AndroidEmu functionality can be found in apps on third-party stores.
Android malware is not new, but what makes AndroidEmu stand out is that malware with root capabilities is rare in 2021. According to the researchers, the ability to root has become harder as Android has matured, making it less useful for threat actors.
The ability to root a device can be potentially dangerous. By gaining privileged access to an Android device, the threat actor can silently grant themselves dangerous permissions or silently install additional malware. Typically, Android malware requires user interaction. The access also gives the malware access to sensitive data from other apps.
What isn’t known is who is behind AbstractEmu. The best guess of the Lookout researchers is that it’s a well-resourced group with financial motivation. There were also notable similarities to banking trojans found in the code.
“AbstractEmu is a sophisticated and far-reaching malware. Exploiting a chipset vulnerability can allow a hacker to read/write physical memory, ” Doug Britton, chief executive officer of cybersecurity testing company Haystack Solutions Inc., told SiliconANGLE. “As a result, this can allow modification of user privilege. This is a fundamental piece of hardware to hundreds of thousands, even millions of devices. This combined with other highly technical exploits makes AbstractEmu a significant vulnerability.”
Saryu Nayyar, CEO of security information and event management company Gurucul Solutions Pvt. Ltd., noted that phones are increasingly being targeted for attacks, in large part because of the sheer number of devices in active use.
“Users have to take the same care with their phones that they do with their traditional computers, and be wary of installing unknown or unusual apps, and looking for different behaviors as they use their phones,” Nayyar explained. “Enterprises that provide phones to employees have to be able to monitor those devices for unusual activity.”