AbstractEmu, a root-access malware has turned tens of thousands of smartphones into spyware
Malware dubbed by its finders at information security firm Lookout as AbstractEmu thanks to its use of code abstraction and anti-emulation checks that prevent analysis from the very moment the trojanised app has been opened, marks the great re-entry of malicious software with root capabilities already thought to be on the way out.
Lookout researchers have identified 19 apps in the Amazon App Store and the Samsung Galaxy Store related to the distribution of the malware including utility apps, password managers and data saving software, seven of which can provide root access – privilege to modify software code or install other software. As a result, infected smartphones have downloaded Lite Launcher ten thousand times from the official Google Play store. AbstractEmu disguises itself as a storage manager called ‘Setting Storage’, and users are unlikely to notice anything as the apps infected will continue to function properly. Once downloaded to a mobile device, the malware will have access to contacts, call logs, SMS messages, location as well as to the mobile’s camera and microphone.
However, smartphones with the March 2020 Android security update are not susceptible to this type of attack as they no longer have the vulnerabilities that the malware exploits. On the other hand, apps downloaded from open-source independent Android app stores such as Aptoide and APK Pure stand a high chance of being infected.
tomsguide.com has created a list of the compromised apps with rooting capabilities alongside with some handy tips as to how users can protect themselves from AbstractEmu:
- All Passwords, com.mobilesoft.security.password
- Anti-ads Browser, com.zooitlab.antiadsbrowser
- Data Saver, com.smarttool.backup.smscontacts
- Lite Launcher, com.st.launcher.lite
- My Phone, com.dentonix.myphone
- Night Light, com.nightlight.app
- Phone Plus, com.phoneplusapp
“If you have any apps matching these names, you’ll want to check whether they’re truly the same ones. Many apps share names, but the package names, the text strings that begin with “com” above, are unique.
Use a desktop browser to go to the app store where you got the app and search for it. If the app is no longer in the app store, then delete it from your device.
If the app you downloaded is still there, then check if the icon on its listing page matches what’s on your phone. If so, then check the URL, aka web address, of the listing page — the Android package name should be in the URL somewhere. If that matches the package name above, delete the app.
This last step doesn’t work for the Amazon App Store, which doesn’t seem to list an app’s Android package name anywhere. You’ll have to use your own judgment there.
You’ll also want to keep your Android phone as updated as possible. All the flaws used by this malware have been patched as of the March 2020 official Android security update. If your Android phone hasn’t received a security update since then, it might be time to look into getting a new phone.”
Avoiding the “off-road” Android app markets named above can also significantly mitigate the risk of a smartphone getting infected with the malware.