AbstractEmu Malware

AbstractEmu Malware Description

AbstractEmu is an Android malware equipped with threatening capabilities that allow it to take full control over the infected devices. The threat was first uncovered by infosec researchers at the Lookout Threat Labs. So far, over a dozen weaponized applications spreading AbstractEmu have been identified. These applications were able to perform their supposed functionality to avoid raising any suspicion. Some of them acted as password managers, data savers, application launchers, etc.

The nineteen threatening utility applications were available for download on multiple reputable app stores, such as Google Play, Amazon Appstore, Aptoide, APKPure and the Samsung Galaxy Store. After becoming aware of the AbstractEmu threat, Google purged the applications from its platform. Still, one of the dubious applications named Lite Launcher, pretending to be a legitimate application launcher, had already reached over 10, 000 downloads by the time it was removed.

Technical Details

The AbstractEmu malware is a widely-distributed threat equipped with root capabilities, making it somewhat of a rarity in the malware landscape that has formed in the last couple of years. Despite lacking the sophisticated systems often found in the threatening tools of advanced APT groups, AbstractEmu remains an effective threat that activates the moment users open any of its applications.

To gain root privileges, AbstractEmu exploits numerous vulnerabilities. In fact, this is the first time that the CVE-2020-0041 exploit was observed to be abused in a live campaign. Another abused bug is a vulnerability in MediaTek chips tracked as CVE-2020-0069 that could potentially impact millions of sold devices. The cybercriminals responsible for creating AbstractEmu also have equipped it with the ability to exploit publicly available code that takes advantage of the CVE-2019-2215 and CVE-2020-0041 exploits.

AbstractEmu's Functionality

If deployed to the device successfully, AbstractEmu can perform a wide variety of intrusive actions. First, it will gather information about the compromised device, including manufacturer, model, version, IP address, MAC address, the privileges obtained by the threat, account information and more. The collected data will be transmitted to the Command-and-Control (C2, C&C) server, after which AbstractEmu will lurk on the device waiting for further commands.

The root status of the malware allows the hackers to do almost anything they wish. The threat can be instructed to collect chosen files, obtain contact information including names and numbers, track the device's location, fetch and deploy additional malicious payloads and more.