Recently, security researchers at Lookout Threat Lab discovered a new type of root malware, including third-party stores for well-known Android devices such as Google Play and Amazon App Store, Samsung Galaxy Store, Aptoide and APK, etc., which have become "severe disaster areas."
It is understood that the root function is a kind of authority that can completely control mobile devices such as infected mobile phones. Since Android is developed based on Linux, it also has the concept of Root. Generally speaking, Android phones with root permissions will have the highest level of operating permissions for system files. However, after the malware obtains root privileges, it will be rooted in the Android device, fully control the device and silently adjust the system settings, and use code abstraction and anti-simulation checks to evade detection.
Lookout named the malware "AbstractEmu" because it uses code abstraction and anti-simulation checks to avoid running during analysis.
(The "Lite Launcher" in the picture above is an alternative to the application launcher and is one of the AbstractEmu applications that appeared on Google Play. It has been downloaded more than 10,000 times.)
At present, Lookout has discovered a total of 19 related applications, 7 of which contain root functions, and 1 of them has been downloaded more than 10,000 times during playback. In order to protect Android users, Lookout has notified them about the malware, and now Google has immediately deleted the application.
As we all know, the Android ecosystem is maturing, and the chances of being invaded by this type of malware and affecting a large number of devices are becoming fewer and fewer. Although it is rare, but "understands everything", root malware is indeed very dangerous.
Root malware can gain privileged access to the Android operating system through the rooting process. It can quietly grant dangerous permissions or install additional malware. These steps usually require user interaction. The elevated permissions also allow malware to access sensitive data of other applications. Will pose a major security threat to device users.
Vulnerability attacks targeting more Android device upgrades
In order to "infect" Android devices, the root malware AbstractEmu also has a variety of tools available. These tools target multiple vulnerabilities, including CVE-2020-0041. Android applications have never exploited this vulnerability before. .
The malware also exploits the CVE-2020-0069 vulnerability to abuse vulnerabilities found in MediaTek chips used by dozens of smartphone manufacturers, which have sold millions of devices in total.
In addition, the threat actors behind AbstractEmu also have sufficient skills and technical know-how to add support for more targets to the public code of CVE-2019-2215 and CVE-2020-0041 exploits.
Lookout researchers said: "This is a major discovery, because in the past five years, widely distributed malware with root functionality has become very rare.".
"By using the root process to gain privileged access to the Android operating system, threat actors can silently grant themselves dangerous permissions or install additional malware. These steps usually require user interaction."
AbstractEmu will wait for commands from its C2 server, which can instruct it to obtain and filter files based on their newness, or to match a given pattern, root infected devices, or install new applications.
Other operations that AbstractEmu can perform after setting the root directory for the infected device include monitoring notifications, capturing screenshots, recording the screen, locking the device, and even resetting the device password.
The researchers added: “The elevated permissions also enable malware to access sensitive data of other applications, which is not possible under normal circumstances.”
android
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。