Cybercriminals will try to use legitimate capabilities to obfuscate malicious activity. The true intentions of an app are oftentimes hidden in the data access permissions and behaviors, and even then, can be difficult to uncover without the right tools. Static and dynamic analysis of the industry’s largest mobile dataset enables Lookout researchers to protect customers by continuously discovering and researching new threats. Devices with Lookout installed can detect and be alerted if AbstractEmu is present on the device.
To learn more about the technical specifications of this campaign, including IOCs, read the full article here.
Researchers at Lookout have discovered 19 applications, some with as many as 10,000 downloads, present in mobile app stores. The malware, dubbed AbstractEmu, uses code abstraction and anti-emulation checks to avoid running while under analysis. This helps minimize the chance that it will be uncovered.
AbstractEmu leverages advanced evasion tactics and has a sophisticated code base, which indicates that the threat actor group behind it is well-resourced and has financial motivations. The malware can exploit several vulnerabilities to gain root access to the device. CVE-2020-0041 had not been previously exploited in the wild, CVE-2020-0069 is a vulnerability found in MediaTek chips which are used by dozens of smartphone manufacturers, then the AbstractEmu actors also modify publicly available code for other CVEs in order to add support for more targets.
Once the device is rooted, AbstractEmu exhibits behaviors similar to banking trojans that Lookout has discovered in the past. This includes the ability to gain permissions that enable them to phish login credentials and two-factor authentication tokens delivered by SMS. In addition, we observed more advanced capabilities such as enabling the threat actor to interact with other apps on the device and capturing content on the screen.
September 22, 2023
Apple recently released two software updates for iOS and iPad OS for vulnerabilities that can form an exploit chain and are also known to install Predator spyware.
September 15, 2023
September 19, 2023