New Android malware nicknamed SummaryEmu can root infected devices to gain full control and silently change system settings, as well as evade detection using code abstraction and anti emulation checks found bundled with other Apps in Google store and third party app stores

The apps bundling the malware included password managers and tools like data savers and app launchers, all delivering the functionality they had promised to avoid suspicion. Though removed from Google Store still distributed via other app stores

Lite Launcher, an app launcher and one of the apps used to distribute AbstractEmu malware to devices of unsuspecting Android users, recorded more than 10,000 downloads when it was removed from Google Play.

Advertisements

Once installed, AbstractEmu will begin collecting and sending system information to its C2 server while the malware waits for further commands.

AbstractEmu has several tools in the form of exploits that target several vulnerabilities, including CVE-2020-0041, a bug never exploited in the wild by Android applications before.

The malware also uses a CVE-2020-0069 exploit to abuse a vulnerability found in MediaTek chips used by dozens of smartphone makers who have collectively sold millions of devices.

The threat actors behind AbstractEmu also have enough skill to add support for more targets to the publicly available code for exploits CVE-2019-2215 and CVE-2020-0041. The threat actor can silently grant themselves dangerous permissions or install additional malware, steps that would normally require user interaction. the user.

AbstractEmu will wait for commands from its C2 server, which may ask it to harvest and exfiltrate files based on their novelty or match a given pattern, root infected devices, or install new applications.Additional actions that AbstractEmu can take after rooting a range of infected devices, from monitoring notifications, capturing screenshots, and screen recording to device lock, and even device password reset.

Advertisements

Elevated privileges also allow malware to access sensitive data from other applications, which is not possible under normal circumstances.

Indicator of Compromise

AbstractEmu APKs

File hashes – Exploit Files



File hashes – Rooting Tools

Advertisements

Network IOCs