Google Play Store removes over a dozen malicious Android utility apps

Researchers unable to figure out the intentions of threat actors behind the cleverly-disguised malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Security researchers have helped kick out 19 apps from theGoogle Play Storethat installed a rare rootingmalwareto take over thesmartphone.

Discovered bycybersecurityinvestigators at Lookout, the malware dubbed AbstractEmu rooted an infectedAndroid deviceto conduct several malicious activities such as monitoring notifications, capturing screenshots, recording the screen, and even reset the password of the device, or lock it completely.

“By using the rooting process to gain privileged access to the Androidoperating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction,”observethe researchers.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

The infected apps were disguised as utility apps, such aspassword managers, data savers,app launchers, and such, and were fully functional. Of the 19 apps that were taken down, the researchers claim that seven exhibited rooting capabilities, and one had clocked more than 10,000 downloads.

Rare, but deadly

The researchers claim that while rooting malware has all but disappeared in the last five years, AbstractEmu is proof that they aren’t dead yet. The researchers are also fascinated by the steps the malware takes to avoid detection by using code abstraction and anti-emulation checks.

Once on a device, AbstractEmu calls in the help of one of five exploits for older Android security flaws in order to root and take over the device. After gaining control, it collates all kinds of data about the device, and sends it to a remote server, and waits to receive additional payloads.

“At the time of discovery, the threat actor behind AbstractEmu had already disabled the endpoints necessary to retrieve this additional payload from C2 [command-and-control server], which has prevented us from learning the ultimate aim of the attackers,” the researchers conclude.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Stay protected with our pick of thebest identity theft protectiontools

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well