Rooting malware discovered on Google Play, Samsung Galaxy Store
Researchers found 19 mobile apps containing rooting malware on official and third-party Android app stores, including Google Play and Samsung Galaxy Store.
“While rare, rooting malware is very dangerous,” Lookout researchers Kristina Balaam and Paul Shunk explained.
“By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware – steps that would normally require user interaction. the user. Elevated privileges also allow malware to access sensitive data from other applications, which is not possible under normal circumstances.
About the malware
Dubbed AbstractEmu, the malware is inserted into (functional) applications and attempts to exploit various vulnerabilities to root target devices.
Once done, a new app called “Settings Storage” is installed and the necessary permissions are granted to access contacts, call logs, SMS messages, location information, camera, and microphone. It also changes several settings that allow it to reset device password, install other (malicious) packages, draw on other windows, disable Google Play Protect, etc.
“If the user tries to run the app, they will quit and open the legitimate settings app.” The app itself does not contain any malicious functionality, which makes it harder to detect. Instead, it depends entirely on the files its C2 server provides during runtime, ”the researchers noted.
“At the time of discovery, the threat actor behind AbstractEmu had already disabled the endpoints necessary to retrieve this extra payload from C2, which kept us from knowing the attackers’ ultimate goal.”
Nonetheless, they believe that the threat actor is a “well-resourced group with a financial motivation” as the Trojanized applications used sophisticated evasion techniques and were disguised as utility applications (password managers or password managers). ‘money) and system tools (file managers and app launchers) to target a wide range of Android users using Google Play, Amazon Appstore and Samsung Galaxy Store and lesser-known app stores such as Aptoide and APKPure.
“The types of vulnerabilities that AbstractEmu takes advantage of also indicate a goal of targeting as many users as possible, as very contemporary vulnerabilities from 2019 and 2020 are being exploited,” they explained.
“One of the exploits used CVE-2020-0041, a never-before-seen vulnerability exploited in the wild by Android apps. Another exploit targeted CVE-2020-0069, a vulnerability found in MediaTek chips used by dozens of smartphone makers who have collectively sold millions of devices. As a clue to the threat actor’s technical capabilities, they also changed the publicly available exploit code for CVE-2019-2215 and CVE-2020-0041 to add support for more targets.
Finally, the permissions and capabilities that the Settings Storage app gains are those that other financially motivated threats typically take advantage of to intercept 2FA codes sent via SMS, overlay phishing screens on app windows, capture the content displayed on the device screen, interact with other applications, etc.
Prevention and remediation
Lookout has discovered a total of 19 applications associated with a Trojan horse, including one on Google Play that recorded more than 10,000 downloads (it has since been removed). Their names are All Passwords, Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light and Phone Plus. (The names of malicious packages and other IoCs have been shared.)
To avoid these types of malicious apps, users and organizations should regularly update mobile operating systems with the latest security patches and be careful when installing unknown apps.
“In an ideal scenario, the end user’s device would have been protected by a mobile security solution with the detection efficiency to be able to prevent malware from infecting the device. But in the event that a device has been rooted and maybe additional malware installed, there are only a few reasonable mitigation options, ”Stephen Banda, senior director of security solutions at Help Net Security, told Help Net Security. Lookout.
“The user can do a factory reset, then reinstall the operating system and restore the data to the device from a clean backup. While this method works in many cases, it is not a quick fix and does not completely solve the problem. For example, when a device has been infected with persistent malware, the malware is designed to automatically reinstall itself on the device after a factory reset.
“So honestly the best way to fix the problem if your device has been rooted is to erase the device and then properly throw it away and get a new one. It just isn’t worth the risk. Mobile device management solutions don’t help much in this case either, as they have no real-time threat detection capability and can only wipe the device, which wouldn’t help with the issues. persistent malware.