[MART] - Daily Diary #380 - AbstractEmu Android Rooting Malware

CTAS-MAT ctas-mat at appgate.com
Fri Oct 29 19:03:36 UTC 2021


Hello,

I hope everyone is doing well!

Below is the entry for today.

10/29/2021 - Diary entry #380:


A new Android malware named AbstractEmu was recently discovered disguised as 19 different utility apps in Google Play Store. One of them had over 10,000 downloads before being removed, but is still available in third-party app stores.


Once installed and launched, AbstractEmu has the ability to collect data from the infected device such as Manufacturer, IP address, time-zone, package name, permissions granted, root status, and others. Then, it sends the collected data to its C2 server and waits for further commands sent by the attacker that are mostly capable of stealing sensitive information. Those data are used by the attackers to keep track of their infection campaign and to avoid analysis.


However, there is an additional command capable of running multiple tools to exploit some vulnerabilities like CVE-2020-0041, CVE-2020-0069, CVE-2019-2215, and CVE-2020-0041 in order to root Android devices. It allows the malware to gain privileged access to grant themselves dangerous permissions that, without root privileges, would need user interaction. As root, AbstractEmu is capable of monitoring notifications, interacting with other apps, installing new apps, recording the screen, and making changes in the Operational System.


AbstractEmu's motivations and the threat-actors behind are still unknown. However, Android malware with rooting capabilities is very dangerous since it allows full control over the device and to exfiltrate sensitive data. This kind of malware is rare, which points to a fairly advanced threat actor.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211029/ee6fa63b/attachment.htm>


More information about the MART mailing list