Android is a very capable operating system, powerful and extremely flexible. But that flexibility comes with a cost.
It has been for a very long time that Android is customizable. And if that customization is not enough, people can simply root their phones to unlock a ton of potential. By having a deeper access to the system (root access), users can tweak their Android phones far beyond Google's intentions.
And this time, security researchers at Lookout Threat Labs discovered a malware that can automatically root infected phones to gain elevated privilege, and silently tweak system settings.
That, in order to take complete control of victims' phones.
Dubbed the 'AbstractEmu', the malware can then monitor notifications, create screenshots, record the screen, and even resetting the device's password.
"Elevated privileges also give the malware access to other apps’ sensitive data, something not possible under normal circumstances," the researchers explained in a blog post.
To remain undetected and persistent, the malware can also evade detection by using code abstraction and anti-emulation checks.
The malware can do all these the moment it is installed.
AbstractEmu will begin harvesting and sending system information to its command-and-control (C2) server. After that, it uses multiple tools at its disposal in the form of exploits to target several vulnerabilities.
"By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction."
"AbstractEmu does not have any sophisticated zero-click remote exploit functionality used in advanced APT-style threats, it is activated simply by the user having opened the app," the Lookout researchers said.
AbstractEmu was found bundled with 19 utility apps distributed via Google Play and third-party app stores.
These apps include password managers to data saver and app launchers, to utility apps and more.
The malicious actors bundled the malware with the legit-looking apps to avoid suspicion.
More importantly, the developers delivered app functionality as promised, to never raise any alarm.
"As the malware is disguised as functional apps, most users will likely interact with them shortly after downloading."
"A total of 19 related applications were uncovered, seven of which contain rooting functionality, including one on Play that had more than 10,000 downloads," the researchers said.
"This is a significant discovery because widely-distributed malware with root capabilities have become rare over the past five years," the Lookout researchers said.
"As the Android ecosystem matures there are fewer exploits that affect a large number of devices, making them less useful for threat actors. "
The researchers at the security firm contacted Google.
In response, the tech giant quickly removed the apps from its Play Store.