{
	"id": "035d5eb6-5b27-43f6-95dc-4f0855640102",
	"created_at": "2026-04-06T00:08:12.809186Z",
	"updated_at": "2026-04-10T03:30:33.20666Z",
	"deleted_at": null,
	"sha1_hash": "358910a011138cc0db85266b670e5909326c85a8",
	"title": "Rooting Malware Makes Comeback: Lookout Discovers Global Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1012756,
	"plain_text": "Rooting Malware Makes Comeback: Lookout Discovers Global\r\nCampaign\r\nBy Lookout\r\nPublished: 2021-10-28 · Archived: 2026-04-05 16:57:30 UTC\r\nSecurity researchers at Lookout have identified a new rooting malware distributed on Google Play and prominent\r\nthird-party stores such as the Amazon Appstore and the Samsung Galaxy Store.\r\nWe named the malware “AbstractEmu” after its use of code abstraction and anti-emulation checks to avoid\r\nrunning while under analysis. A total of 19 related applications were uncovered, seven of which contain rooting\r\nfunctionality, including one on Play that had more than 10,000 downloads. To protect Android users, Google\r\npromptly removed the app as soon as we notified them of the malware.\r\nThis is a significant discovery because widely-distributed malware with root capabilities have become rare over\r\nthe past five years. As the Android ecosystem matures there are fewer exploits that affect a large number of\r\ndevices, making them less useful for threat actors.\r\nWhile rare, rooting malware is very dangerous. By using the rooting process to gain privileged access to the\r\nAndroid operating system, the threat actor can silently grant themselves dangerous permissions or install\r\nadditional malware — steps that would normally require user interaction. Elevated privileges also give the\r\nmalware access to other apps’ sensitive data, something not possible under normal circumstances.\r\n“Lite Launcher,” an app launcher replacement, is one of the AbstractEmu apps that appeared on\r\nGoogle Play. It had more than 10,000 downloads.\r\nWho is the threat actor and what do they want?\r\nWhile we don’t know exactly who is behind AbstractEmu, we think the actors are a well-resourced group with\r\nfinancial motivation. Their code-base and evasion techniques — such as the use of burner emails, names, phone\r\nnumbers and pseudonyms — are quite sophisticated. We also found parallels between the malware and banking\r\ntrojans, such as the untargeted distribution of their apps and the permissions they seek.\r\nhttps://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign\r\nPage 1 of 9\n\nAbstractEmu disguised itself as a number of different apps: including utility apps, such as password\r\nmanagers, and system tools like app launchers or data savers. From left to right: Anti-ads Browser,\r\nData Saver, Lite Launcher, My Phone, Night Light, All Passwords, Phone Plus.\r\nIndiscriminate targeting\r\nOne of the major clues as to the threat actors behind AbstractEmu is based on the widespread, untargeted\r\ndistribution of the apps. Of the 19 apps we found related to the malware, most of them were disguised as utility\r\napps such as password or money managers, and system tools like file managers and app launchers. All of them\r\nappeared to be functional to the users. This includes “Lite Launcher” which had more than 10,000 downloads\r\nbefore it was taken off Play.\r\nThe types of vulnerabilities AbstractEmu takes advantage of also point to a goal of targeting as many users as\r\npossible, as very contemporary vulnerabilities from 2019 and 2020 are leveraged. One of the exploits used CVE-2020-0041, a vulnerability not previously seen exploited in the wild by Android apps. Another exploit targeted\r\nCVE-2020-0069, a vulnerability found in MediaTek chips used by dozens of smartphone manufacturers that have\r\ncollectively sold millions of devices. As a hint to the threat actor’s technical abilities, they also modified publicly\r\navailable exploit code for CVE-2019-2215 and CVE-2020-0041 in order to add support for more targets.\r\nThe way the AbstractEmu threat actor distributes these apps is also indiscriminate. In addition to Google Play,\r\nAmazon Appstore and Samsung Galaxy Store, we found them on Aptoide, APKPure and other lesser known app\r\nstores and marketplaces. In terms of promotions, we uncovered advertisements on social media and Android-related forums. While most were written in English, we did find one instance where the malware was promoted in\r\nVietnamese. Though our telemetry showed that people in the United States were the most impacted, people from a\r\ntotal of 17 countries were victimized by AbstractEmu.\r\nParallels to banking trojans\r\nIn addition to the untargeted distribution of the app, the extensive permissions granted through root access align\r\nwith other financially motivated threats we have observed before. This includes common permissions banking\r\ntrojans request that provide them the ability to receive any two-factor authentication codes sent via SMS, or run in\r\nthe background and launch phishing attacks. There are also permissions that allow for remote interactions with the\r\ndevice, such as capturing content on the screen and accessing accessibility services, which enables threat actors to\r\ninteract with other apps on the device, including finance apps. Both of these are similar to the permissions\r\nrequested by the Anatsa and Vultur malware families.\r\nBeyond these, Mandrake was another financially motivated threat which had extensive spyware capabilities\r\nsimilar to those seen with AbstractEmu. By having complete insight into the device and its activity, the actors can\r\nhttps://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign\r\nPage 2 of 9\n\ntailor their attacks to the specific target and increase the likelihood of success.\r\nMultilayer malicious flow\r\nThe threat actor behind AbstractEmu takes great lengths to ensure they evade detection — from the initial\r\ninfection to the third stage of the infection. Each of the techniques aren’t unique on their own, but when deployed\r\nas part of a campaign they indicate just how well-resourced the threat actor is.\r\nAbstractEmu does not have any sophisticated zero-click remote exploit functionality used in advanced APT-style\r\nthreats, it is activated simply by the user having opened the app. As the malware is disguised as functional apps,\r\nmost users will likely interact with them shortly after downloading.\r\nInitial infection: anti-emulation and device inspection\r\nBeyond the legitimate functionalities of the trojanized apps lies a series of steps taken to ensure AbstractEmu isn’t\r\ndetected, which are activated as soon as the user opens the app. The first step is to check whether the infected\r\ndevice is a real device or is emulated. Similar to checks seen in an open source library EmulatorDetector, the\r\nmalware will look at the device's system properties, list of installed applications and filesystem.\r\nOnce the device passes that initial analysis, the app will begin communicating with its command and control (C2)\r\nserver via HTTP, expecting to receive a series of JSON commands to execute. Each app contains hard-coded\r\ncommands that it supports. To decide which command to execute, the app will send a large amount of data to the\r\nC2 server, including both the commands it has support for, and device data such as the device’s manufacturer,\r\nmodel, version and serial number, telephone number and IP address.\r\nTo decide on what further actions to take, AbstractEmu apps send a large amount of data to the C2\r\nserver.\r\nOther information AbstractEmu’s C2 server checks include whether the app has root access, which app was used\r\nto install the malicious app and whether the requested permissions and capabilities have been granted.\r\nhttps://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign\r\nPage 3 of 9\n\nIn total we found four supported commands embedded within these apps, though not all of the apps offer the same\r\ncapabilities.\r\nWe saw a total of four different types of JSON commands sent from AbstractEmu’s C2 server, which\r\nare listed above.\r\nThe rooting process: the heart of the malicious flow\r\nAt the center of AbstractEmu’s infection flow is getting root access to the Android device. By rooting the device,\r\nthe malware is able to silently modify the device in ways that would otherwise require user interaction and access\r\ndata of other apps on the device.\r\nTo ensure the process goes smoothly, the apps are embedded with hidden, encoded files used during and after the\r\nrooting process — including exploit binaries targeting different vulnerabilities. By default, these binaries are\r\nexecuted in a specific order, although the C2 server can change that order based on how the device is configured.\r\nhttps://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign\r\nPage 4 of 9\n\nBy default, AbstractEmu malware attempts to execute these exploits in the order they are shown in\r\nthis table. The C2 server can change that order based on the device’s configuration.\r\nIn addition to these binaries, the apps also contain three encoded shell scripts and two encoded binaries copied\r\nfrom Magisk that are used during and after the rooting process. Magisk is a tool that allows Android users to\r\nacquire root access on their devices.\r\nTwo of the shell scripts are used to execute the exploit binary, gain root and then use elevated privileges to install\r\nthe Magisk components for further root access. The newly installed Magisk components are used to execute the\r\nfinal shell script which first extracts an APK embedded in a binary to the device.\r\nThen the package manager is used to silently install a new app and grant it a number of intrusive permissions,\r\nsuch as access to contacts, call logs, SMS messages, location, camera and microphone. In addition, the app will\r\nmodify settings to grant itself risky capabilities or reduce the device’s security. With these capabilities the app can\r\nbe used to conduct phishing attacks and provide the actor with all the information needed for illicit access to user\r\naccounts.\r\nhttps://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign\r\nPage 5 of 9\n\nThe malware changes the device’s settings and grants itself risky permissions, both of which make\r\nthe device easier to target.\r\nThe “Settings Storage” App\r\nThe silently installed app is disguised as “Settings Storage” on the Android device. If the user tries to run the app,\r\nit will exit and open the legitimate settings app. The app itself does not contain any malicious functionality, which\r\nmakes it harder to detect. Instead, it depends entirely on the files that its C2 server provides during execution.\r\nAt the time of discovery, the threat actor behind AbstractEmu had already disabled the endpoints necessary to\r\nretrieve this additional payload from C2, which has prevented us from learning the ultimate aim of the attackers.\r\nRare or not, always keep your OS up to date\r\nWhile we weren’t able to discover the purpose of AbstractEmu, we gained valuable insights into a modern, mass\r\ndistributed rooting malware campaign, which has become rare as the Android platform matures.\r\nRooting Android or jailbreaking iOS devices are still the most invasive ways to fully compromise a mobile device.\r\nWhat we need to keep in mind — whether you’re an IT professional or a consumer — is that mobile devices are\r\nperfect tools for cyber criminals to exploit, as they have countless functionalities and hold an immense amount of\r\nsensitive data.\r\nTo ensure you or your organization stay secure, we recommend diligently keeping your operating system up to\r\ndate. Additionally, we recommend downloading apps from official stores only, as malware taken down from these\r\nstores may still be available elsewhere. Regardless of which store you use, always exercise caution when\r\ninstalling unknown apps.\r\nOf course, you should also have dedicated mobile security software to secure against all mobile threats, including\r\nphishing, OS and app vulnerabilities, malware and network threats.\r\nhttps://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign\r\nPage 6 of 9\n\nIndicator of compromise\r\nAbstractEmu APKs\r\n(Download CSV file here)\r\nFile hashes - Exploit Files\r\n(Download CSV file here)\r\nhttps://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign\r\nPage 7 of 9\n\nFile hashes - Rooting Tools\r\n(Download CSV file here)\r\nNetwork IOCs\r\n(Download CSV file here)\r\nhttps://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign\r\nPage 8 of 9\n\nSource: https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign\r\nhttps://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"
	],
	"report_names": [
		"lookout-discovers-global-rooting-malware-campaign"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434092,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/358910a011138cc0db85266b670e5909326c85a8.pdf",
		"text": "https://archive.orkl.eu/358910a011138cc0db85266b670e5909326c85a8.txt",
		"img": "https://archive.orkl.eu/358910a011138cc0db85266b670e5909326c85a8.jpg"
	}
}