Rooting malware discovered on Google Play, Samsung Galaxy Store

Researchers have discovered 19 mobile apps carrying rooting malware on official and third-party Android app stores, including Google Play and Samsung Galaxy Store.

“While rare, rooting malware is very dangerous,” Lookout researchers Kristina Balaam and Paul Shunk explained.

“By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction. Elevated privileges also give the malware access to other apps’ sensitive data, something not possible under normal circumstances.”

About the malware

Dubbed AbstractEmu, the malware is inserted into (functional) applications and tries to exploit a variety of vulnerabilities to root the target devices.

Once that’s achieved, a new app called “Settings Storage” is installed and given permissions required to access contacts, call logs, SMS messages, location information, camera and microphone. It also changes several settings that allow it to reset the device password, install other (malicious) packages, draw over other windows, disable Google Play Protect, and more.

“If the user tries to run the app, it will exit and open the legitimate settings app. The app itself does not contain any malicious functionality, which makes it harder to detect. Instead, it depends entirely on the files that its C2 server provides during execution,” the researchers noted.

“At the time of discovery, the threat actor behind AbstractEmu had already disabled the endpoints necessary to retrieve this additional payload from C2, which has prevented us from learning the ultimate aim of the attackers.”

Nevertheless, they believe the threat actor is a “well-resourced group with financial motivation,” since the trojanized apps used sophisticated evasion techniques and were disguised as utility apps (password or money managers) and system tools (file managers and app launchers) to target a wide swath of Android users using Google Play, Amazon Appstore and Samsung Galaxy Store and lesser known app stores such as Aptoide and APKPure.

“The types of vulnerabilities AbstractEmu takes advantage of also point to a goal of targeting as many users as possible, as very contemporary vulnerabilities from 2019 and 2020 are leveraged,” they explained.

“One of the exploits used CVE-2020-0041, a vulnerability not previously seen exploited in the wild by Android apps. Another exploit targeted CVE-2020-0069, a vulnerability found in MediaTek chips used by dozens of smartphone manufacturers that have collectively sold millions of devices. As a hint to the threat actor’s technical abilities, they also modified publicly available exploit code for CVE-2019-2215 and CVE-2020-0041 in order to add support for more targets.”

Finally, the permissions and capabilities the “Settings Storage” app gains are those other financially motivated threats usually take advantage of to intercept 2FA codes sent via SMS, overlay phishing screens over app windows, capture content shown on the device screen, interact with other apps, and so on.

Prevention and remediation

Lookout discovered a total of 19 related trojanized applications, including one on Google Play that had more than 10,000 downloads (it has since been removed). Their names are All Passwords, Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light, and Phone Plus. (The names of the malicious packages and other IoCs have been shared.)

To avoid these types of malicious apps, users and organizations should regularly update mobile OSes with the latest security patches and be careful when installing unknown apps.

“In an ideal scenario, the end user’s device would have been protected by a mobile security solution with the detection efficacy to be able to prevent the malware from infecting the device. But in the case where a device has been rooted and perhaps additional malware installed, there are only a couple reasonable mitigations options,” Stephen Banda, Senior Manager of Security Solutions at Lookout, told Help Net Security.

“The user could do a factory reset and then re-install the operating system and restore the data on the device from a clean backup. Although this method works in many cases, it is not a silver bullet and does not fully resolve the issue. For instance, when a device has been infected with persistent malware, the malware is designed to automatically reinstall itself onto the device following a factory reset.

“So honestly, the best way to resolve the issue if your device has been rooted, is to wipe the device and then dispose of it properly and get a new one. It’s just not worth the risk. Mobile device management solutions don’t help much either in this case, as they have no real-time threat detection capability and could only wipe the device, which would not help with persistent malware.”