CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
50.6%
Over the last several years, as the Android ecosystem matured, widely-distributed malware with rooting capabilities has become rare. But its rarity doesn’t mean it’s not still a threat.
By definition, rooting malware is extremely dangerous because it can gain privileged access to the Android operating system. This enables the malware to grant itself further permissions, change system settings and install additional malware, steps that usually require user interaction. Armed with these invasive controls, threat actors can then conduct targeted phishing attacks, steal sensitive data needed to compromise user accounts or conduct surveillance.
Register now for our LIVE event!
Recently, the Lookout Threat Lab uncovered the first widespread rooting malware campaign in five years. Dubbed AbstractEmu due to its use of code extraction and anti-emulation checks to avoid detection, the malware was found on Google Play and other prominent third-party app stores such as Amazon Appstore and the Samsung Galaxy Store. Lookout notified Google and the apps were promptly removed.
Using AbstractEmu as an example. Here are things you should look for to ensure you don’t fall victim to rooting malware.
AbstractEmu is a great example of how threat actors can leverage rooting exploits to indiscriminately target the general population. Most vulnerabilities, once discovered, are patched over with updates. But users are protected only if they take the time to update their devices.
There are numerous vulnerabilities within the Android ecosystem that are ripe to be exploited. This campaign targets very contemporary vulnerabilities from 2019 and 2020, including CVE-2020-0041, a vulnerability not previously seen used in the wild. AbstractEmu also targeted CVE-2020-0069, a vulnerability found in MediaTek chips used by dozens of smartphone manufacturers. Collectively, there are millions of devices that are affected by this vulnerability.
Something that is not unique to rooting malware, but has aided the distribution of the AbstractEmu campaign, is trojanizing apps. By disguising its malicious intent behind seemingly innocuous apps, the threat actor is able to lure unsuspecting users into downloading the malware.
Lookout researchers found a total of 19 apps related to the malware, seven of which contained rooting functionalities. One app that was found on Google Play was confirmed to have been downloaded more than 10,000 times. AbstractEmu disguised itself as a number of different apps, including utility apps, such as password managers, and system tools like app launchers or data savers.
AbstractEmu does not have sophisticated zero-click remote exploit functionality used in advanced APT-style threats like Pegasus. But it doesn’t need this capability, since the malware will be activated when the user opens the trojanized app shortly after downloading it.
Protecting yourself against AbstractEmu highlights a couple of the cybersecurity best practices that we should all keep in mind, whether you’re an IT professional or just an individual. Tablets and smartphones are how most of us stay connected to work and manage personal responsibilities, which means they hold an immense amount of data. These devices are also very sophisticated and have countless functionalities that bad actors can leverage.
To protect yourself and your organization, you should always keep your device’s operating system up to date. I also recommend using official app stores only, and even then, exercise caution when downloading something unknown to you.
Hank Schless is senior manager of security solutions at Lookout.
Enjoy additional insights from Threatpost’s Infosec Insiders community byvisiting our microsite.
www.lookout.com
blog.lookout.com/lookout-discovers-global-rooting-malware-campaign
threatpost.com/mediatek-bug-actively-exploited-android/153408/
threatpost.com/microsite/infosec-insiders-community/
threatpost.com/pegasus-spyware-uses-iphone-zero-click-imessage-zero-day/168899/
threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/?utm_source=Specops+&utm_medium=web&utm_campaign=event&utm_id=Specops+&utm_term=nov_event&utm_content=IA
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
50.6%