Android Utility Apps Removed from Google Play

Researchers have helped remove 19 Android apps from the Google Play Store that installed a unique rooting malware to take over the smartphone.

Lookout’s cybersecurity analysts discovered AbstractEmu, which rooted an infected Android device and ran several malicious activities such as monitoring notifications, capturing screenshots, recording the screen, and even resetting the password or locking it entirely.

“By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction,” observe the researchers.

The phony applications were hidden as utility programs like password managers, data savers, app launchers, and such, and they were completely functional.

The researchers claim that seven of the 19 apps were able to root; one had been downloaded more than 10,000 times.

It’s uncommon, but it’s deadly.

While rooting malware has practically disappeared in the last five years, AbstractEmu is proof that they aren’t dead yet, according to the researchers.

The researchers are also intrigued by the malware’s attempts to avoid detection using code abstraction and anti-emulation checks.

AbstractEmu is a malware, which infects Android devices and roots them remotely over the internet.

Once inside a device, it utilizes one of five exploits for older Android security flaws in order to root and takeover the unit.

It collects various information about the device and sends it to a remote server, then sits back while additional payloads are delivered.

“At the time of discovery, the threat actor behind AbstractEmu had already disabled the endpoints necessary to retrieve this additional payload from C2 [command-and-control server], which has prevented us from learning the ultimate aim of the attackers,” the researchers conclude.c