One of the main reasons that the malware epidemic in the Windows XP days was so severe was because almost all those machines were configured with only a single user account that had administrative privileges by default. That meant that any malware running as that user would have free rein to do whatever it wanted on the system.
These days, systems aren’t usually configured that way, and the largest category of personal computers out there—smartphones—usually don’t even have any way for users to gain administrative privileges at all. That’s why it’s so concerning when new phone malware is found that can gain root for itself. Such a capability means that the offending application can grant itself privileges, install additional software, and generally take full control over the device, all without any user approval or action.
Cybersecurity company Lookout’s threat lab just discovered exactly such a piece of malware. Lookout calls it “AbstractEmu” after its use of code abstraction and anti-emulation measures, which make it difficult to study. AbstractEmu gets on a device by pretending to be a legitimate piece of software. Lookout found nineteen apps that were front-ends for the malware, including one app—”Lite Launcher”—with over 10,000 downloads on the Google Play Store. The other apps were distributed using third-party stores, like the Amazon Appstore and the Samsung store.
Once the app is launched, it will make sure it’s not running under emulation, then contact its command and control server to send back a whole pile of information about the device and its operating system. That information appears to be used to set up the malware’s next steps, where it will attempt to gain root access on the device. If it is successful, it will then install another app that it then grants permissions for the contacts, call logs, SMS, location, camera, and microphone. That app masquerades as “Settings Storage”; attempting to open it will simply open the actual settings app.
Lookout wasn’t able to determine who is responsible for creating AbstractEmu, but says that the creator is probably “a well-resourced group” that is motivated financially i.e. by the desire to steal money. Lookout draws comparisons between AbstractEmu and banking trojans that attempt to steal financial information from their victims, noting that it claims many of the same type of permissions. Lookout also notes that the malware seems engineered to target as many users as possible indiscriminately, further indicating that the goal was financial and not government or corporate secrets.
If you’re concerned about whether you’ve been hit by AbstractEmu, you can hit up the Lookout blog to see the full list of known exploit packages.