www.csoonline.com
Open in
urlscan Pro
151.101.66.165
Public Scan
URL:
https://www.csoonline.com/article/3639059/stealthy-trojan-that-roots-android-devices-makes-its-way-on-app-stores.html
Submission: On November 07 via api from GB — Scanned from GB
Submission: On November 07 via api from GB — Scanned from GB
Form analysis 1 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; background: url("https://www.google.com/cse/static/images/1x/en/branding.png") left center no-repeat rgb(255, 255, 255); outline: none;"
placeholder="Start Searching"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Close Ad cso online UNITED KINGDOM * United States * ASEAN * Australia * India * United Kingdom * Events * News * Reviews * Newsletters * Video * Resource Library Welcome! Here are the latest Insider stories. * SolarWinds CISO: Know your adversary, what they want, watch everything * Facebook outage a prime example of insider threat by machine * How to configure Microsoft Defender for cloud-based attacks * How software reliability can help drive software security More Insider Sign Out Sign In Register × search Sign Out Sign In Register NEW Insider PRO Learn More Latest Insider * How Adobe reduced compliance fatigue * Conti ransomware explained: What you need to know about this aggressive criminal group * How disinformation creates insider threats * NIST's new devsecops guidance to aid transition to cloud-native apps NEW FROM IDG Learn More Explore CSO UK * Feature Articles * News Hot Topics * Application Security * Careers * Cloud Computing * Critical Infrastructure * Cyber Attacks * Identity Management * Regulation * Risk Management * Small Business * Vulnerabilities Newsletters CSO 30 Awards Events Video * Windows Security Tips * IDG TECH(talk) Channel Resource Library Welcome! Check out the latest Insider stories here. Sign Out Sign In Register From Our Partners * The Latest Content from Our Sponsors More from the IDG Network The voice of IT leadership Analytics Careers CIO Role Digital Transformation Leadership Government Project Management Making technology work for business Blockchain Collaboration Mobile Office Software Security Systems Management Windows From the data center to the edge Data Center Internet of Things Linux Networking SD-WAN Servers Storage Wi-Fi Building the next-gen enterprise Analytics Cloud Computing Databases Devops Machine Learning Open Source Software Development * About Us | * Contact | * Reprints | * Privacy Policy | * Cookie Policy | * Member Preferences | * Advertising | * IDG Careers | * Ad Choices | * E-commerce Links | * California: Do Not Sell My Personal Info | * Follow Us * * * × Close * Home * Security * Malware News Analysis STEALTHY TROJAN THAT ROOTS ANDROID DEVICES MAKES ITS WAY ON APP STORES THE CRIMINALS BEHIND THE TROJAN HAVE PLACED FULLY FUNCTIONAL UTILITIES THAT CARRY MALICIOUS CODE ON THE GOOGLE PLAY STORE IN A WAY THAT EVADES DETECTION. * * * * * * * By Lucian Constantin CSO Senior Writer, CSO | 2 November 2021 15:37 GMT Jane Kelly / Roshi11 / Egor Suvorov / Getty Images The Google Play store has become better in recent years at policing malware, raising the bar for attackers, but well-crafted stealthy Trojans continue to slip in from time to time. Such is the case of AbstractEmu, a recently discovered threat masquerading as utility apps and capable of gaining full control over devices through root exploits. "This is a significant discovery because widely distributed malware with root capabilities have become rare over the past five years," researchers from security firm Lookout said in a recent analysis. "As the Android ecosystem matures there are fewer exploits that affect a large number of devices, making them less useful for threat actors." AbstractEmu was found on Google Play, Amazon Appstore, the Samsung Galaxy Store and other lesser used app stores like Aptoide and APKPure. It serves as a reminder to enterprises and mobile device users in general, that while downloading apps from trusted app stores significantly reduces the likelihood of mobile device compromise, it's not a silver bullet and additional protection and monitoring is required. Choosing devices that offer regular and timely OS security patches is very important as well as limiting the number of apps on the device and removing unneeded ones. LIKELY FINANCIALLY MOTIVATED GLOBAL CAMPAIGN According to Lookout, the AbstractEmu malware was found inside 19 apps posing as password managers, app launchers, data savers, ambient lighting ad blocking and other utility apps. Some of the names include Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light, All Passwords and Phone Plus. Lite Launcher, for example, had over 10,000 downloads on Google Play when it was taken down. All the apps appear to be fully functional, which suggests that they might be legitimate apps that were maliciously modified and renamed. In addition to being uploaded to various app stores, the researchers found the apps being promoted on social media and Android-related forums, primarily in English, though an ad in Vietnamese was also found. "In addition to the untargeted distribution of the app, the extensive permissions granted through root access align with other financially motivated threats we have observed before," the researchers said. "This includes common permissions banking Trojans request that provide them the ability to receive any two-factor authentication codes sent via SMS or run in the background and launch phishing attacks. There are also permissions that allow for remote interactions with the device, such as capturing content on the screen and accessing accessibility services, which enables threat actors to interact with other apps on the device, including finance apps. Both are similar to the permissions requested by the Anatsa and Vultur malware families." Users from at least 17 countries have been impacted by this new Trojan and even though the indiscriminate wide net targeting and other aspects suggest financial motivation, the spyware capabilities of the malware are extensive and could be used for other purposes, too. Unfortunately, the researchers were not able to retrieve the final payloads served from the command-and-control server to confirm the attackers' goals. ROOTING, ANTI-EMULATION AND DYNAMIC PAYLOADS The AbstractEmu lure applications that are distributed on app stores contain code that attempts to determine if the app is being run in an emulated environment or on a real device. This is an important detection evasion tactic because Google Play executes submitted apps in an emulator before scanning their code and so do many other security vendors. The checks are similar to those from an open-source library called EmulatorDetector and involve checking the device's system properties, list of installed applications and filesystem. Once the app determines that it is running on a real device, it will start communicating with the attackers' server and upload additional information about the device including its manufacturer, model, version, serial number, telephone number, IP address, timezone, and account information. The server will then use this device information to determine whether the app should attempt to root the device -- gain full administrative privileges (root) by using exploits. The app bundles exploits for several vulnerabilities in encoded form and the order in which they get executed is determined by the command-and-control server's response. AbstractEmu includes both newer and older root exploits: CVE-2020-0069, CVE-2020-0041, CVE-2019-2215 (Qu1ckr00t), CVE-2015-3636 (PingPingRoot) and CVE-2015-1805 (iovyroot). CVE-2020-0069 is a privilege escalation vulnerability in the MediaTek Command Queue driver (or CMDQ driver) that affects millions of devices with MediaTek-based chipsets from different manufacturers. The vulnerability was patched in March 2020, but devices that are out of support and have not received security updates since then from their manufacturers, are still vulnerable. SponsoredPost Sponsored by Google Getting your enterprise application to the cloud 10x faster—without rearchitecting Discover the three key reasons to use a shared file service when migrating enterprise applications to Google Cloud: speed, simplicity, security. CVE-2020-0041 is also a privilege escalation vulnerability that was patched in March 2020, but which affects the Android Binder component. The limiting factor is that only newer kernel versions have this vulnerability and many Android devices use older kernels. Many Android manufacturers have made progress in recent years when it comes to releasing Android security updates in a timely manner, especially for their flagship models, but the Android ecosystem fragmentation continues to be a problem. Manufacturers have multiple product lines with different chipsets and custom firmware for each one, so even if Google releases monthly patches, integrating those patches and shipping firmware updates for such a diverse portfolio of devices can take between days to months. Generally newer and higher-end devices receive patches faster than older models, but the time to patch can differ significantly from manufacturer to manufacturer. While malware with rooting capabilities is not as effective as in the early days of Android, which could explain its decline in recent years, many devices are still behind on patches and are likely vulnerable even to one-year-old exploits like those used by AbstractEmu. The rooting process used by the Trojan also uses shell scripts and binaries copied from Magisk, an open-source solution for rooting Android phones in a way that doesn't modify the system partition and is harder to detect. If rooting is successful, the shell scripts silently install an app called Settings Storage and give it intrusive permissions without user interaction including access to contacts, call logs, SMS messages, location, camera and microphone. The Settings Storage app itself does not contain malicious functionality and if the user tries to open it, it will automatically open the system's normal Settings application. However, the rogue app will execute additional payloads from the command-and-control server that will take advantage of its permissions. The Lookout researchers did not obtain these additional payloads from the command-and-control server due to precautions taken by the attackers, but the app's behavior is clearly aimed at making it harder for security products or APK code scanners to detect its malicious nature. "While we weren’t able to discover the purpose of AbstractEmu, we gained valuable insights into a modern, mass distributed rooting malware campaign, which has become rare as the Android platform matures," the researchers said. "Rooting Android or jailbreaking iOS devices are still the most invasive ways to fully compromise a mobile device. What we need to keep in mind -- whether you’re an IT professional or a consumer -- is that mobile devices are perfect tools for cyber criminals to exploit, as they have countless functionalities and hold an immense amount of sensitive data." More on mobile security: * 5 riskiest mobile apps * What is smishing? How phishing via text message works * 3 simple steps to hack a phone Next read this * The 10 most powerful cybersecurity companies * CISOs’ 15 top strategic priorities for 2021 * 7 tenets of zero trust explained * The new math of cybersecurity value * 10 top API security testing tools * AWS, Google Cloud, and Azure: How their security features compare * 6 minimum security practices to implement before working on best practices * Tips and tactics of today's cybersecurity threat hunters * 21 best free security tools * Booming dark web gig economy is a rising threat * 12 security career-killers (and how to avoid them) Related: * Malware * Mobile Security Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection. Follow * * * * * Copyright © 2021 IDG Communications, Inc. Microsoft's very bad year for security: A timeline CSO Online CSO provides news, analysis and research on security and risk management Follow us * * * * About Us * Contact * Reprints * Privacy Policy * Cookie Policy * Member Preferences * Advertising * IDG Careers * Ad Choices * E-commerce Links * California: Do Not Sell My Personal Info Copyright © 2021 IDG Communications, Inc. Explore the IDG Network descend * CIO * Computerworld * CSO Online * InfoWorld * Network World